Privacy Rule Breach Notification failure leads to many more HIPAA violations
What happens when a hospital group completely ignores a Federal Regulator’s order to report privacy breaches?
Let’s find out.
Billing Error Leads to Privacy Breach
In April, 2017, The Department of Health and Human Services (HHS) received a complaint alleging Sentara Hospitals had sent a bill to an individual containing another patient’s protected health information (PHI).
Sentara operates 12 acute care hospitals and about 300 care locations throughout Virginia and North Carolina.
Breach Notification Failure
It is a violation of the Health Insurance Privacy and Accountability Act (HIPAA) to share PHI with unauthorized parties. Although it clearly made an error when delivering its invoices to patients, the real insult to the regulator was Sentara’s failure to notify the Office for Civil Rights, HHS’s investigative agency.
As usually happens with an OCR investigation, one violation always leads to more. In the case of Sentara, more means hundreds and hundreds.
Sentara actually mailed 577 patients’ PHI to wrong addresses. The bills included patient names, account numbers, and dates of services.
Failure to understand HIPAA Breach Notification Rules
Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.
Sentara persisted in its refusal to properly report the breach even after being informed of their duty to do so by OCR.
Missing Business Associate Agreement
OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.
Breach Notifications are an essential element of HIPAA’s Privacy Rule because the regulators rely on Covered Entities and Business Associates to be the first line of HIPAA enforcement.
Business Associate Agreements are binding, legal contracts between medical service providers and the contractors they hire who have access to PHI. Failure to have valid Business Associate Agreements is a HIPAA violation.
Failure to be completely transparent when a privacy rule breach is discovered is a major HIPAA violation.
The Duty to Report A HIPAA Privacy Rule Breach
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director.
“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR,” added Severino.
Sentara agreed to pay the OCR $2.175 million for its violations. The hospital group also agreed to be directly monitored by the OCR for two years. Details of the Corrective Action Plan are available here.