HIPAA: Failure to Report Breach Costs Hospital $2.175 Million

05 December 2019 Blog
Author(s): Jennifer J. Hennessy
Published To: Health Care Law Today Innovative Technology Insights

One health system recently learned the cost of relying too heavily on the HIPAA Breach Notification Rule’s “low probability of compromise” standard when it failed to notify all affected individuals and report the HIPAA breach to the Office for Civil Rights (OCR). 

HIPAA covered entities frequently struggle with determining whether an inappropriate disclosure of protected health information (PHI) rises to the level of a reportable HIPAA breach—or alternatively, whether the disclosure creates only a “low probability of compromise.” A low probability of compromise determination means the covered entity is not required to notify the affected individual(s) or OCR under HIPAA’s Breach Notification Rule. 

On November 27, 2019, Sentara Hospitals (Sentara), a health system with sites of care in Virginia and North Carolina, settled with OCR for $2.175 million for failing to properly notify OCR and affected individuals of a breach of unsecured PHI. Specifically, Sentara mailed out 577 patient billing statements to the incorrect addresses. The billing statements included patient names, account numbers, and dates of services. At the time of the incident, Sentara conducted a risk assessment and determined Sentara only needed to notify eight individuals of the breach because the other disclosures did not contain a patient diagnosis, treatment information, or other medical information. That is, Sentara determined the other disclosures created only a “low risk of compromise” to the PHI and thus, notification was not required. 

Sentara also did not notify OCR at the time, since Sentara treated the breach as one affecting less than 500 individuals (i.e., only eight individuals were notified). Breaches affecting 500 or more individuals must be reported to OCR within 60 days of discovery of the breach; breaches affecting less than 500 individuals must be reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. Importantly, OCR automatically launches an investigation into any entity reporting a breach affecting 500 or more individuals. Here, OCR commenced an investigation after receiving an individual’s complaint. OCR noted in its press release that even after Sentara was “explicitly advised” by OCR to report the breach, Sentara refused to do so.   

In addition, during the investigation, OCR determined that Sentara did not have a business associate agreement (BAA) in place with Sentara Healthcare, the parent company that performed business associate services for Sentara.  Sentara’s settlement is a reminder that any entity performing business associate services on behalf of a covered entity, even if affiliated, must have a BAA in place with the covered entity.  

In addition to the $2.175 million settlement, Sentara also entered into a resolution agreement and corrective action plan which includes two years of monitoring and an ongoing requirement to provide the OCR with an evaluation of each potential unauthorized acquisition, access, use or disclosure of PHI within 15 days of such determination, whether or not the incident rises to the level of a reportable breach.   

Note that Sentara was designated as an affiliated covered entity (ACE) under HIPAA. The entities in an ACE are jointly and severally liable for HIPAA violations, meaning all ten hospitals within the ACE are liable for the settlement amount, not just the hospital which sent out the incorrect mailings. While there are many benefits of functioning as an ACE (e.g., sharing HIPAA policies and procedures, one member of the ACE entering into BAAs on behalf of the other members, etc.), this settlement demonstrates one downside of being a member of an ACE. 

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services