Sentara Hospitals fined for unsecured and unreported HIPAA breach

Featured image

Share this article

sentara hospital in Virginia HIPAA breach

Image source

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) secured a $2.175 million settlement from Sentara Hospitals, 12 acute care hospitals with more than 300 sites throughout Virginia and North Carolina, after its failure to accurately report a breach.

This failure along with its other violations, even after advisement from OCR, increased the penalties Sentara received.

The initial complaint

HHS received a complaint April 2017 alleging that a Sentara patient was sent a bill containing another patient’s protected health information (PHI).

Sentara initially reported 8 individuals affected, but the OCR investigation discovered 577 billing statements containing unsecured PHI were mailed erroneously after the information from 16,342 different mailing labels were merged.

OCR advised Sentara to report the breach as investigated, but the company would not comply, effectively augmenting their violations and penalties.

What rules were violated?

Sentara was in violation of accurate and timely self-reporting, breaking HIPAA Breach Notification Rule 45 CFR §§ 164.400–414.

Under the Rule, businesses are required to notify all affected patients, HHS, and the media following a breach.

Furthermore, Sentara Hospitals also failed to enact a business associate agreement with Sentara Healthcare (who sent the unsecured PHI) as required under HIPAA rule 45 CFR §§ 164.504(e)(2).

The penalties imposed on Sentara

The $2.175 million settlement is one of the largest fines so far this year, but Sentara also had to agree to create a corrective action plan.

Policies and procedures had to be redeveloped and revised to comply with HIPAA.

Sentara then has to communicate the changes to HHS within 90 days, implementing them within 60 days of approval.

Finally, Sentara has to send OCR an implementation report within 120 days of initial implementation and for the next 6 years.

 

Try Paubox Email Suite for FREE today.
Author Photo

About the author

Rick Kuwahara

Rick Kuwahara is COO and Chief Compliancy Officer for Paubox.

Read more by Rick Kuwahara

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022