• Revenue Cycle Management
  • COVID-19
  • Reimbursement
  • Diabetes Awareness Month
  • Risk Management
  • Patient Retention
  • Staffing
  • Medical Economics® 100th Anniversary
  • Coding and documentation
  • Business of Endocrinology
  • Telehealth
  • Physicians Financial News
  • Cybersecurity
  • Cardiovascular Clinical Consult
  • Locum Tenens, brought to you by LocumLife®
  • Weight Management
  • Business of Women's Health
  • Practice Efficiency
  • Finance and Wealth
  • EHRs
  • Remote Patient Monitoring
  • Sponsored Webinars
  • Medical Technology
  • Billing and collections
  • Acute Pain Management
  • Exclusive Content
  • Value-based Care
  • Business of Pediatrics
  • Concierge Medicine 2.0 by Castle Connolly Private Health Partners
  • Practice Growth
  • Concierge Medicine
  • Business of Cardiology
  • Implementing the Topcon Ocular Telehealth Platform
  • Malpractice
  • Influenza
  • Sexual Health
  • Chronic Conditions
  • Technology
  • Legal and Policy
  • Money
  • Opinion
  • Vaccines
  • Practice Management
  • Patient Relations
  • Careers

Hospital group pays millions to settle HIPAA case


Sentara Hospitals agreed to take corrective action for an April 2017 HIPAA violation

A hospital group serving Virginia and North Carolina has agreed to take corrective action and pay $2.175 million for failing to notify HHS about a HIPAA violation, according to an HHS news release.

Sentara Hospitals, which is comprised of 12 acute care hospitals with more than 300 sites, made the payment to the Office of Civil Rights (OCR) at HHS to settle possible violations of HIPAA breach notification and privacy rules stemming from an April 2017 incident.

At that time, HHS received a complaint that Sentara sent a bill to a patient with another patient’s protected health information. Further investigation found the hospital group mailed 577 patients’ protected health information to wrong addresses, but they only reported the incident as a breach affecting eight patients, the release says.

Sentara believed, incorrectly, that only breaches that included information on patient diagnosis and treatment needed to be reported to HHS. The hospital group refused to report the breach even after being explicitly advised to do so by OCR, the release says.

The office was also able to determine that the hospital group failed to have a business agreement in place with Sentara Healthcare, which performed business associate services for the group.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” Roger Severino, OCR Director, says in the release.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

According to the release, Sentara will undertake a corrective action plan which includes two years of monitoring in addition to the monetary settlement.

Related Videos