HIPAA Breach Case Study – 1 Mistake Can Cost Millions
Sentara Hospitals was investigated and ultimately settled with the OCR for $2.175 million. This was the result of an investigation by the OCR after a patient complained in April of 2017 of being mailed someone else’s PHI in their hospital bill. Initially, Sentara Hospital’s reported only 8 patients were impacted because Sentara Hospital’s believed others did not receive PHI in the bills sent to them in error.
In all, it was reported that 577 individuals incorrectly received someone else’s hospital bill. The OCR determined that PHI was included in all 577 hospital bills. The error was the result of a mail merge.
Because of the single complaint, the Office of Civil Rights investigated Sentara Hospital’s HIPAA Compliance program and found that a Business Associate Agreement (BAA) was not in place with Sentara Healthcare.
What Could Have Been Done Differently?
There are a few things that could have been handled differently in this case.
- There should be some type of failsafe in place to ensure information does not wind up being sent to the wrong individual.
- A BAA is required for all vendors who may come in contact with PHI. Sentara Healthcare is a part of Sentara Hospitals but not included as part of the covered entity. As such Sentara Healthcare needs to sign a Business Associate Agreement before having access to PHI.
- The disagreement between Sentara Hospitals and the OCR stems from Sentara Hospitals believing that PHI was not disclosed in 569 of the 577 hospital bills.
- Even after Sentara Hospitals was advised that all 577 patients needed to be notified of the breach Sentara did not notify them in a reasonable amount of time because they believed it was not PHI.
The Potential Cost
The fine from HHS was $2.175 million. Sentara Hospitals will also be on a corrective action plan for 2 years. The ancillary costs cannot be determined but there will be additional costs in fulfilling their obligations on the corrective action plan.
The lesson here is simple. All it takes is one complaint to have the OCR investigating your HIPAA Compliance program. When this happens, there is a good chance the OCR will uncover other HIPAA failures.
As you can see in this case all it took was not understanding HIPAA to cost a hospital $2.175. In all, that’s not a large fine for a hospital system as large as Sentara but it’s also avoidable.
Here’s the lesson(s) to be learned in this case:
- Understand what constitutes PHI. After being told by the OCR that all 577 records were PHI acknowledge this and notify the impacted patients immediately per HIPAA guidelines.
- Follow breach notification rules. Impacted individuals are to be notified within 60 days of the breach, not after the disagreement with the OCR is concluded.
- Business Associate Agreements are needed for all vendors who may come in contact with healthcare records.
- Some healthcare providers require BAAs with all vendors whether may view PHI or not.
$2.175 million is not a huge fine for the Sentara Hospital system. The 2 years of corrective action is probably more of a hassle than the financial penalty. The OCR has repeatedly said the fines are not about the money but about HIPAA enforcement.
It is about making sure the patient’s privacy is protected. At the end of the day, the healthcare records belong to the patient, not the hospital.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”