10 Dec 2019

“Eight is Enough”

A great, wholesome, family show from the late 70’s and early 80’s.  Also: what Sentara Hospital, with over 300 facilities across the states of North Carolina and Virginia, is telling the Department of Health and Human Services’ Office for Civil Rights (OCR) after being on the receiving end last month of this year’s (2019) 8th HIPAA financial penalty… A mind-boggling $2.175 million fine!

What Happened?

Sentara Hospital was recently fined this staggering sum after it was discovered that they had breached HIPAA rules.  And what’s really notable about this is that the fine was levied because of the actual breach, which, in the whole scheme of things, was not the worst breach that we have seen. (We’ll get to that in a second.)  The reason they were fined so much is because they absolutely refused to comply with HIPAA’s Breach Notification Rule – 45 C.F.R § 164.408!

The Violation

The OCR received a complaint from a patient back in April 2017 who had received another patients’ bill.  Obviously this is a problem because the person who received the other person’s medical bill had access to that person’s protected health information (PHI).

What happened is Sentara merged the billing statements of 16,342 different guarantor’s mailing labels and accidentally mailed 577 letters containing PHI to wrong addresses.  Once they realized what happened, Sentara did what they apparently thought was right and reported the incident.  BUT they reported as having only affected eight patients.

If you’re thinking “Eight is a lot less than 577!” then you are of the same mind as the OCR.  If you are also thinking the number eight just came back around again, we are with you on that one.  But we digress…

Why Only Eight?

According to Sentara, they felt that since 569 of the mis-mailed mail did not contain diagnoses, treatment information, or medical data, a PHI breach did not occur.  Those 569 letters only contained names, account information, and dates of services, so that’s not a violation of their information, right?

Not according to HIPAA rules and regulations, which states that ALL PHI must be protected, not just the information that Sentara thinks is important.

Sentara, instead of agreeing and abiding, doubled-down.

“When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

-OCR Director, Roger Severino

And what’s even worse?  The OCR discovered that Sentara had failed to enter into a business associate agreement (BAA) with Sentara Healthcare (a covered entity that performed handled PHI for members in the the health system)  until October 17, 2018.

So what is the takeaway?

It is vitally important that your practice implements HIPAA requirements and maintains compliance.  Also, don’t tell the OCR that they are in the wrong because they will come after you.

That being said, HIPAA is nothing if not complicated, and the OCR doesn’t exactly make HIPAA compliance a breeze for practitioners… Or anyone, for that matter.  If you are having trouble wading through HIPAA waters, contact Petronella Technology Group for a free consultation.  Better safe than sorry.

Schedule an Appointment

Schedule an Appointment

    Our clients are awesome!

    Based on 55 reviews.
    Jeremy Richards
    Jeremy Richards
    2020-03-13
    Petronella provides great advanced digital marketing and automation solutions for my business!
    Kate Swenson
    Kate Swenson
    2020-02-14
    Highly recommended for CMMC certification assistance! Excellent and affordable options for secure data hosting on local infrastructure. 5 stars!
    Tom Matzen
    Tom Matzen
    2020-01-25
    Petronella Technology Group helped us setup our sales and marketing automation, cybersecurity and compliance for our new Blockchain startup. Great to work with! Craig in particular really knows his stuff, can translate into non-tech speak, and has wisdom beyond his years. Highly recommend them.
    Justin Summers
    Justin Summers
    2020-01-14
    Craig is awesome! He is very professional and efficient with his work. I would definitely recommend Petronella Technology to anyone who needs state of the art service.
    Blake Rea
    Blake Rea
    2020-01-14
    Craig is an expert in his field. Impressed by his knowledge, A true pioneer in Cybersecurity. My business is safer thanks to Petronella Tech!
    Robert Friedman
    Robert Friedman
    2020-01-10
    For the last five years Craig has been the Contributing Editor for Cybersecurity for NC Triangle Attorney Law Magazine which I publish. His base of knowledge is always leading edge, pragmatic and early to understand for our readers who are not techies. He is patient and easy to work with.
    Tammy Everett
    Tammy Everett
    2020-01-10
    Craig Petronella, CEO of Petronella Technology Group provided the members of the Defense Alliance of North Carolina expert advice on cybersecurity and NIST compliance. Eye opening experience! Thanks so much!
    Julie Brown
    Julie Brown
    2020-01-09
    Craig and the Petronella Technology Group, Inc. team made HIPAA compliance for my small practice so simple and easy! They helped me with all of my HIPAA training, HIPAA Security Risk Assessment, Penetration Test, and HIPAA secure hosting so I can rest easy.
    Pivot Point
    Pivot Point
    2020-01-03
    Petronella Technology Group helped us with our marketing strategy for our new web startup. Awesome experience!!!!
    Richard Brunet
    Richard Brunet
    2019-12-30

    SCHEDULE AN APPOINTMENT

    Make It Happen Now

    CLIENT SUPPORT

    Don't Feel Stranded

    CONSULTATION

    Get Best Advice

    PAYMENTS

    Make A Payment

    Top