HIPAA Breach Case Study – 1 Mistake Can Cost Millions
Sentara Hospitals was investigated and ultimately settled with the OCR for $2.175 million. This was the result of an investigation by the OCR after a patient complained in April of 2017 of being mailed someone else’s PHI in their hospital bill. Initially, Sentara Hospital’s reported only 8 patients were impacted because Sentara Hospital’s believed others did not receive PHI in the bills sent to them in error.
In all, it was reported that 577 individuals incorrectly received someone else’s hospital bill. The OCR determined that PHI was included in all 577 hospital bills. The error was the result of a mail merge.
Because of the single complaint, the Office of Civil Rights investigated Sentara Hospital’s HIPAA Compliance program and found that a Business Associate Agreement (BAA) was not in place with Sentara Healthcare.
What Could Have Been Done Differently?
There are a few things that could have been handled differently in this case.
- There should be some type of failsafe in place to ensure information does not wind up being sent to the wrong individual.
- A BAA is required for all vendors who may come in contact with PHI. Sentara Healthcare is a part of Sentara Hospitals but not included as part of the covered entity. As such Sentara Healthcare needs to sign a Business Associate Agreement before having access to PHI.
- The disagreement between Sentara Hospitals and the OCR stems from Sentara Hospitals believing that PHI was not disclosed in 569 of the 577 hospital bills.
- Even after Sentara Hospitals was advised that all 577 patients needed to be notified of the breach Sentara did not notify them in a reasonable amount of time because they believed it was not PHI.
The Potential Cost
The fine from HHS was $2.175 million. Sentara Hospitals will also be on a corrective action plan for 2 years. The ancillary costs cannot be determined but there will be additional costs in fulfilling their obligations on the corrective action plan.
The lesson here is simple. All it takes is one complaint to have the OCR investigating your HIPAA Compliance program. When this happens, there is a good chance the OCR will uncover other HIPAA failures.
As you can see in this case all it took was not understanding HIPAA to cost a hospital $2.175. In all, that’s not a large fine for a hospital system as large as Sentara but it’s also avoidable.
Here’s the lesson(s) to be learned in this case:
- Understand what constitutes PHI. After being told by the OCR that all 577 records were PHI acknowledge this and notify the impacted patients immediately per HIPAA guidelines.
- Follow breach notification rules. Impacted individuals are to be notified within 60 days of the breach, not after the disagreement with the OCR is concluded.
- Business Associate Agreements are needed for all vendors who may come in contact with healthcare records.
- Some healthcare providers require BAAs with all vendors whether may view PHI or not.
$2.175 million is not a huge fine for the Sentara Hospital system. The 2 years of corrective action is probably more of a hassle than the financial penalty. The OCR has repeatedly said the fines are not about the money but about HIPAA enforcement.
It is about making sure the patient’s privacy is protected. At the end of the day, the healthcare records belong to the patient, not the hospital.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
This is such important information for all of us to know. Thanks so much for sharing this with all of us!
Yikes, what an expensive mistake. I always worry that our info will be leaked. You just never know.
That was an expensive mistake. I mean, mistakes happen but it’s important to follow the regulation when they do.
I hope companies can be more wise with these breaches. I remember when my credit card was involved in a breach and it was a pain to have to get a new card and call all my bill companies.
Although that looks like a lot of money for a security breach, I wonder how much it is compared to what Sentara was bringing in. It is also scary stuff since my family was in the Sentara system. Thanks for the information.
That really is an expensive mistake. And a scary one too. Especially when your personal information is at risk.
Wow! I have never thought that a mistake could cost so much money!
I do not know all this great scandal but it is always interesting to get informed.
Very interesting and something I haven’t put much thought into. Thank you for sharing.
I am not sure why companies are still making silly mistakes around mail merge. Maybe it was difficult to do a quick check before sending it out in the post. Hopefully, they can use AI to reduce this kind of error.
We learn something new each day. Have not heard of this problem, interesting read.
The lesson is simple indeed. It only takes one complaint to unravel the rest. Great message here.
How crazy!! This was a really interesting read!
I have learned something today, thanks to this article! When you talk about numbers and math there is a lot to consider. I will make a follow-up read on the same article and know more.
Wow that was a huge fine. One mistake can lead to a huge domino affect that isn’t good at all.
I know HIPAA laws are very strict and mandatory for healthcare industry. Considering their importance to the purpose, we need such rules and regulations too. Thanks for sharing this case study.