Healthcare News
Articles, Jobs and Consultants for the Healthcare Professional
Home      View Jobs     Post Jobs     Library     Advertise     Plan Financials     About     Subscribe     Contact    
Healthcare News
Richard S. Cooper. Esq., Member, McDonald Hopkins LLC

$2.175M HIPAA settlement highlights breach reporting

By Richard S. Cooper, Esq.
McDonald Hopkins LLC

See all this Month's Articles

Original Publish Date: January 14, 2020

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced its settlement with Sentara Hospitals for failing to properly report a breach and for allowing its parent corporation to create, receive, maintain or transmit protected health information (PHI) of Sentara affiliated hospitals without entering into a business associate agreement (BAA).

The settlement arose out of the mailing of billing statements to incorrect addresses, disclosing PHI of 577 individuals. According to the press release, Sentara undercounted the number of affected individuals due to its mistaken conclusion that only disclosures of patient diagnosis, treatment information or other medical information were required to be reported. As a result, Sentara reported the number of affected individuals as eight, rather than the 577 individuals whose names, account numbers and dates of service were mailed to the wrong addresses and were therefore required to be reported under the Breach Notification Rule. The failure to recognize PHI was exacerbated by the refusal to properly report the breach even after being advised by OCR to do so.

This settlement highlights the importance of performing an appropriate and prompt risk assessment to determine whether a “breach” of PHI occurred and satisfying related reporting obligations under the Breach Notification Rule and state law. The announcement also serves as another reminder for covered entities and business associates to identify their business associate relationships and enter into a BAA documenting each business associate relationship.

Sentara agreed to pay $2.175 million and undertake a corrective action plan with two years of monitoring.

In the press release, Roger Severino, OCR Director, warned that “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

Mr. Cooper provides legal representation to a broad range of hospitals, other healthcare facilities and physician groups across the United States. He has been listed in The Best Lawyers in America for health law for twenty-three consecutive years and selected for inclusion in Ohio Super Lawyers (2005-2015).

Visit the McDonald Hopkins LLC web site at