Failure to Properly Report HIPAA Breach Results in $2.175 Million Settlement by Sentara Hospitals

In order to settle potential violations under the Health Insurance Portability and Accountability Act (HIPAA), Sentara Hospitals, a Virginia-based network of 12 hospitals, has agreed to pay $2.175 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS).

On April 17, 2017, a complaint was filed with HHS alleging Sentara had sent a hospital bill to an individual with another patient’s protected health information (PHI). The OCR’s investigation revealed that the billing statements of 577 patients, which included patient names, dates of services, and account numbers, were inadvertently sent to the wrong addresses.

Sentara underreported the incident because it insisted only eight breaches occurred. It incorrectly asserted that the other incidents were not HIPAA breaches since they didn’t include patient diagnoses, treatment, or other medical information. The OCR insisted Sentara had a legal duty to properly report the extent of the breaches, but no amendment was made to the report.

“HIPAA compliance depends on accurate and timely self-reporting breaches because patients and the public have a right to know when sensitive information has been exposed,” said the OCR Director, Roger Severino. “When health care providers blatantly fail to report breaches as required by the law, they should expect vigorous enforcement action by OCR.”

The investigation also found Sentara and Sentara Healthcare engaged in services involving the maintenance and disclosure of PHI but failed to enter into a business associate agreement until 18 months after the breaches occurred.

In addition to the hefty monetary penalty, Sentara also entered into a corrective action plan (CAP) and agrees, among other things, to:

  • Develop, maintain, and revise its HIPAA policies and procedures;
  • Provide HIPAA-related training material for its employees;
  • Two years of monitoring by the HHS;
  • Notify HHS of any future breaches; and
  • Submit reports to HHS of the implementation of the CAP.

HIPAA covered entities, as well as business associates, must understand what types of disclosures warrant HIPAA breach notification requirements. Learn how to navigate through these many obligations with ComplianceDashboard: HIPAA Pro!


This information and content contained in this blog post are for general information purposes only, and does not, and is not intended to, constitute legal advice.

Leave a Reply

Your email address will not be published. Required fields are marked *