December 05, 2019

OCR Settles with Hospitals for Failure to Notify After Breach

On November 27, OCR announced that it had agreed to a settlement of $2.175 million with Sentara Hospitals for alleged violations of HIPAA breach notification rules. While investigating the complaint, OCR discovered that Sentara mailed the PHI of 577 patients, including patient names, account numbers, and dates of services, to wrong addresses. According to OCR, “Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.” OCR advised Sentara of its duty to report, but Sentara still did not properly report the breach. As part of the settlement, Sentara will undertake a corrective action plan that includes two years of monitoring.