Sentara Hospitals in Virginia and North Carolina agreed to take corrective actions and pay $2.175 million to settle potential HIPAA violations stemming from a complaint alleging the organization sent a bill to an individual containing another patient’s PHI.1 OCR determined Sentara mailed 577 patients’ PHI to wrong addresses. Sentara reported the incident as a breach affecting only eight people because they concluded (incorrectly) that unless the disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred. “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR,” the office reports. OCR also determined Sentara failed to put a business associate agreement in place with another company.1
Matthew R. Fisher, JD, partner with Mirick O’Connell in Worcester, MA, says the easy lesson is not to fight with OCR over interpretation of the regulations implementing HIPAA. Some portions of the regulations may be subject to reasonably different interpretations. However, if OCR says it believes a bigger breach than reported occurred, pushing back is destined to fail.
The common thread that runs through breach-related settlements is the requirement for companies to develop policies and procedures to comply with applicable notification regulations, says Eric B. Stern, JD, partner with Kaufman Dolowich & Voluck in Woodbury, NY. In fact, he says, most of the “Corrective Action Obligations” section of the “Corrective Action Plan” relates to forming and distributing of such policies and procedures.
As new privacy laws and regulations are put forth on both the state and federal levels, Stern says every covered entity should work with competent counsel to develop policies and procedures for breach preparedness, avoidance, and response that is compliant with applicable laws and regulations; conduct a bi-annual audit of the policies and procedures to ensure compliance; and follow those policies and procedures to prevent a breach and in response to one. Despite healthcare providers having to comply with HIPAA since 1996, they still continue to violate the law by failing to properly report breaches and by failing to put business associate agreements (BAA) in place, says Sara H. Jodka, JD, an attorney with Dickinson Wright in Columbus, OH. “These issues are HIPAA-compliance 101, yet healthcare providers are still messing these requirements up. It would be different if we were dealing with new technology issues, such as ransomware attacks or a new type of code-corrupted ERM databases, but this is not that,” Jodka says. “This is failing to neglect simple, routine HIPAA compliance requirements.”
Healthcare providers still have to sweat the small stuff. “Firewalls and state-of-the-art technology are critical for HIPAA compliance, but those things are just as important as proper reporting and having proper BAAs in place,” she says.
Marissa G. Weitzner, JD, senior counsel in the Houston office of Clark Hill, noted there were three seven-figure fines levied in 2019 related to HIPAA violations. This is a sign OCR will continue its robust HIPAA enforcement.
“Sentara’s self-reporting was incorrect, and its insistence on an inappropriate definition of what constitutes PHI increased its liability,” she observes. “Had Sentara appropriately entered into a BAA with its parent entity, or appropriately self-reported the breach, it is unlikely it would have incurred liability for the business associate matter.”
Matt Frederiksen-England, CHC, CHPR, CHRC, faculty member at Walden University in Minneapolis, says there are several action items these settlements might prompt for compliance:
- Review organizational policies to ensure they detail the patient’s right to access medical records within 30 days of the request and the patient’s right to request their medical records in a specific format, either paper or electronic;
- When releasing information, verify employees are following a practice that demonstrates compliance with the individual’s right to access requirements;
- Ensure breach notification policies are up to date.
Because the HIPAA Privacy Rule allows a covered entity to perform a risk assessment, it is imperative professionals develop a tool to evaluate a potential breach before assuming an event is nonreportable. According to OCR, this tool should include the following factors:
- The nature and extent of the PHI involved, including any patient identifiers or likelihood of reidentification;
- The unauthorized person who used the PHI or to whom the disclosure was made;
- Whether the PHI was viewed or acquired;
- The extent to which risk to the PHI was mitigated;
- Ensure a policy exists regarding BAAs, and a process is in place to ensure contract and capital purchases are reviewed to ensure appropriate BAAs are in place.
- HHS.gov. OCR secures $2.175 million HIPAA settlement after hospitals failed to properly notify HHS of a breach of unsecured protected health information, Nov. 27, 2019. Available at: http://bit.ly/2U1LeML.