OCR Says Organization Dropped the Ball on Breach Reporting, Business Associate Agreement
Sentara Williamsburg Regional Medical Center (Photo: Sentara)
Federal regulators have slapped Norfolk, Va.-based Sentara Hospitals with a $2.2 million HIPAA settlement for improperly reporting a breach and lacking a business associate agreement.
In a Nov. 27 statement, the Department of Health and Human Services’ Office for Civil Rights says the settlement came in the wake of a 2017 breach tied to mailing errors.
OCR acted after receiving a complaint that alleged Sentara Hospitals had sent a bill to an individual containing another patient’s protected health information.
“OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers and dates of services,” the statement says. “Sentara reported this incident as a breach affecting eight individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.”
But Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR, the agency says.
OCR also determined that Sentara Hospitals failed to have a business associate agreement in place with Sentara Healthcare, which performs business associate services for the hospitals.
Sentara Hospitals includes 12 acute care hospitals throughout Virginia and North Carolina. Sentara Healthcare, its parent organization, is a non-profit integrated healthcare system that includes a wide variety of facilities and four medical groups.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” Roger Severino, OCR director, says in the statement. “When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
Corrective Action Plan
In addition to paying the financial settlement, Sentara’s resolution agreement with HHS includes a corrective action plan with two years of monitoring by OCR.
Under that plan, Sentara has agreed to take several measures, including:
- Develop, maintain and revise, as necessary, its written policies and procedures to comply with the HIPAA breach notification requirements.
- Implement those policies and procedures, and distribute them to its workforce.
- Upon receiving information that an unauthorized acquisition, access, use or disclosure of PHI may have occurred, promptly evaluate the incident to determine if it constitutes a breach. Even if Sentara Hospitals concludes that the incident does not constitute a breach, it must report that determination to OCR. If OCR disagrees with Sentara Hospitals’ breach risk assessment, Sentara Hospitals must revise the assessment based on technical assistance provided by OCR and provide appropriate breach notification.
In a statement provided to Information Security Media Group, Sentara says that in April 2017, a vendor that prints and mails the organization’s bills accidentally printed some patients’ billing information on other patients’ statements.
“Upon discovering the error, we took immediate action to halt bill printing and mailing and later notified the affected patients,” the statement notes.
“Since the incident, we have implemented more stringent quality control measures, required our vendor to enhance their quality control processes and hired a new privacy director. We also are in the process of updating employee training and education and assessing our privacy program as a whole. Sentara is committed to the security of our patients’ personal information and working hard to prevent this error from happening again.”
Heed Agency’s Warnings
In its statement about the settlement with Sentara Hospitals, OCR notes that the organization failed to properly report its breach even after the agency advised Sentara to do so.
“OCR has always operated under the approach that it is not nitpicking the rules but is reviewing whether companies are acting in good faith and making reasonable efforts to comply with the [HIPAA] rules,” says privacy attorney Kirk Nahra of the law firm WilmerHale.
That means that OCR has “lots of discretion to act, and often exercises that discretion in ways that mean that companies do not get penalized even if there is some violation – as long as they generally are trying to do the right thing,” he says. “Typically, that means that when OCR says you should do something, it is usually a pretty good idea to do that thing.”
Other Lessons to Learn
Privacy attorney David Holtzman of the security consultancy CynergisTek says the case offers a number of other lessons, including the need to carefully determine when a business associate agreement is required – even within one broad corporate umbrella.
Because Sentara Hospitals’ corporate parent, Sentara Healthcare, serves as a business associate to the hospitals unit, that unit needed to have a business associates agreement with Sentara Healthcare, he explains.
The resolution agreement between OCR and Sentara notes: “Sentara Hospitals allowed their parent corporation and business associate, Sentara Healthcare, to create, receive, maintain, or transmit PHI on their behalf and to provide services involving the disclosure of PHI without obtaining satisfactory assurances.”
Another lesson from the case, Holtzman says, is: Organizations need to ensure their workforce has a proper understanding of what information is considered PHI under HIPAA.
“It is vital that organizations invest in the time and resources to properly train their workforce members on what is personally identifiable information as well as protected health information and their role and responsibility to safeguard it from unauthorized use and disclosure,” he says.
OCR and its sister HHS agency, the Office of the National Coordinator for Health IT, offer free resources, including YouTube videos, designed to provide overviews of the HIPAA privacy and security rules, he notes.
Many professional associations, including the American Association of Family Physicians and the American Medical Association, also offer HIPAA training materials that are designed to help meet the needs of physician practices, he adds.
All healthcare organizations need to take steps to ensure that they carefully safeguard PHI during their more mundane types of business activities, Holtzman notes.
“While much attention is paid to detecting and responding to cybersecurity incidents, healthcare organizations must be vigilant in managing daily business processes that involve the production and mailing of correspondence and billing statements,” he says.
“Whether an organization is preparing a single letter for mailing or hiring a contractor to produce and send materials to a large mailing number of people, there must be a quality control process in the design, production and delivery of the finished product.”
An important best practice, Holtzman says, is to develop a quality control checklist to help ensure that documents prepared for mailings contain the correct information for the right patient and that data processing is checked to ensure PHI is kept confidential.
Also, organizations should perform a final quality assurance check to physically inspect documents before mailings to make sure that it’s going to the intended recipient at the correct address, he adds.
“Healthcare organizations and their vendors should employ a risk-based strategy to assess the potential for compromise of data when designing the production and mailing of PHI,” Holtzman says. “Many organizations take special precautions when producing and mailing documents that contain sensitive personal information, such as person’s record of charges for treatment services.”
So far in 2019, OCR has issued seven HIPAA enforcement actions – including five settlements and two civil monetary penalty cases – containing a total of nearly $13 million in fines.