Healthcare News
Articles, Jobs and Consultants for the Healthcare Professional
Home      View Jobs     Post Jobs     Library     Advertise     Plan Financials     About     Subscribe     Contact    

$2.175M HIPAA settlement highlights breach reporting

First few Article Sentences

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its settlement with Sentara Hospitals for failing to properly report a breach and for allowing its parent corporation to create, receive, maintain or transmit protected health information (PHI) of Sentara affiliated hospitals without entering into a business associate agreement (BAA).

The settlement arose out of the mailing of billing statements to incorrect addresses, disclosing PHI of 577 individuals. According to the press release, Sentara undercounted the number of affected individuals due to its mistaken conclusion that only disclosures of patient diagnosis, treatment information or other medical information were required to be reported. As a result, Sentara reported the number of affected individuals as eight, rather than the 577 individuals whose names, account numbers and dates of service were mailed to the wrong addresses and were therefore required to be reported under the Breach Notification Rule. The failure to recognize PHI was exacerbated by the refusal to properly report the breach even after being advised by OCR to do so.

This settlement highlights the importance of performing an appropriate and prompt risk assessment to determine whether a “breach” of PHI occurred and satisfying related reporting obligations under the Breach Notification Rule and state law. The announcement also serves as another reminder for covered entities and business associates to identify their business associate relationships and enter into a BAA documenting each business associate relationship.

Cooper, Esq., Richard S.


McDonald Hopkins LLC


January 13, 2020

back to library