“Eight is Enough”
A great, wholesome, family show from the late 70’s and early 80’s. Also: what Sentara Hospital, with over 300 facilities across the states of North Carolina and Virginia, is telling the Department of Health and Human Services’ Office for Civil Rights (OCR) after being on the receiving end last month of this year’s (2019) 8th HIPAA financial penalty… A mind-boggling $2.175 million fine!
Sentara Hospital was recently fined this staggering sum after it was discovered that they had breached HIPAA rules. And what’s really notable about this is that the fine was levied because of the actual breach, which, in the whole scheme of things, was not the worst breach that we have seen. (We’ll get to that in a second.) The reason they were fined so much is because they absolutely refused to comply with HIPAA’s Breach Notification Rule – 45 C.F.R § 164.408!
The OCR received a complaint from a patient back in April 2017 who had received another patients’ bill. Obviously this is a problem because the person who received the other person’s medical bill had access to that person’s protected health information (PHI).
What happened is Sentara merged the billing statements of 16,342 different guarantor’s mailing labels and accidentally mailed 577 letters containing PHI to wrong addresses. Once they realized what happened, Sentara did what they apparently thought was right and reported the incident. BUT they reported as having only affected eight patients.
If you’re thinking “Eight is a lot less than 577!” then you are of the same mind as the OCR. If you are also thinking the number eight just came back around again, we are with you on that one. But we digress…
Why Only Eight?
According to Sentara, they felt that since 569 of the mis-mailed mail did not contain diagnoses, treatment information, or medical data, a PHI breach did not occur. Those 569 letters only contained names, account information, and dates of services, so that’s not a violation of their information, right?
Not according to HIPAA rules and regulations, which states that ALL PHI must be protected, not just the information that Sentara thinks is important.
Sentara, instead of agreeing and abiding, doubled-down.
“When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
-OCR Director, Roger Severino
And what’s even worse? The OCR discovered that Sentara had failed to enter into a business associate agreement (BAA) with Sentara Healthcare (a covered entity that performed handled PHI for members in the the health system) until October 17, 2018.
So what is the takeaway?
It is vitally important that your practice implements HIPAA requirements and maintains compliance. Also, don’t tell the OCR that they are in the wrong because they will come after you.
That being said, HIPAA is nothing if not complicated, and the OCR doesn’t exactly make HIPAA compliance a breeze for practitioners… Or anyone, for that matter. If you are having trouble wading through HIPAA waters, contact Petronella Technology Group for a free consultation. Better safe than sorry.