Breach Notification Rule Failure Leads to $2.175 Million HIPAA Settlement

A breach notification failure and the lack of a business associate agreement has led to a $2.175 million HIPAA penalty for Sentara Hospitals.

The HHS’ Office for Civil Rights launched an investigation following a complaint from a patient of Sentara Hospitals about an impermissible disclosure of protected health information. The patient had been sent a bill in April 2017 that contained the protected health information of another patient.

OCR found that bills containing the PHI of 577 patients had been misdirected after being merged with 16,342 different guarantor’s labels, but Sentara Hospitals only reported the breach as affecting 8 patients. Sentara Hospitals determined that breach notifications were only required for patients who had diagnoses, treatment information, or other medical data exposed. Since the other patients only had information such as their name, account number, and dates of service disclosed, Sentara Hospitals determined that breach notifications were not required.

Even when OCR explicitly advised Sentara Hospitals about the need to report the incident as having affected 577 patients, Sentara Hospitals maintained its position and persisted in its refusal to properly report the breach.

Sentara Hospitals operates 12 acute care hospitals and more than 300 care facilities throughout Virginia and North Carolina. Sentara Hospitals’ parent company, Sentara Healthcare, provides services that require it to create, receive, maintain, and transmit PHI on behalf of Sentara Hospitals.

OCR found that there was no business associate agreement in place prior to October 17, 2018 covering Sentara Healthcare. Consequently, the protected health information of patients had been provided to the parent company and business associate without first having received satisfactory assurances that safeguards would be implemented to ensure the confidentiality, integrity, and availability of PHI and that HIPAA Rules would be followed.


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

These violations of the HIPAA Breach Notification Rule – 45 C.F.R. § 164.408 – and the HIPAA Privacy Rule – 45 C.F.R. § 164.408 – 45 C.F.R. § 164.504(e)(2) – were determined to warrant a financial penalty. In addition to paying the $2.175 million penalty, Sentara Hospitals is required to adopt a corrective action plan to address all areas of noncompliance with HIPAA Rules and faces greater scrutiny from OCR over the next two years.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said OCR Director, Roger Severino.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: