The federal Office for Civil Rights (OCR) recently reached a settlement with Sentara Hospitals for $2.175 million for mailing protected health information (PHI) to the wrong addresses. Initially, Sentara misreported the number of patients affected by the breach and, after a complaint was filed by an individual, OCR determined more than 500 people were impacted. Not only did Sentara underestimate the number, but after OCR informed them of their error and told them to report the difference, the healthcare provider refused.
OCR was unhappy with Sentara’s decision. In a press release regarding the settlement, OCR Director Roger Severino, said, “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action.”
In addition to the hefty fine, Sentara, which has 12 acute care hospitals and more than 300 clinical sites in Virginia and North Carolina, will spend 2 years being monitored during a corrective action plan.
There is no foolproof way to avoid PHI breaches, but healthcare providers need to have procedures in place to avoid repeating Sentara’s mistakes.
One thing that stood out about Sentara’s case for Christina Glabas, a principal at Gazelle Consulting, LLC (www.gazelleconsulting.org), is that OCR received a complaint from a patient that set its investigation into motion. Healthcare providers need to ensure they have an accessible HIPAA complaint program, said Glabas, who is based in Portland, Oregon. When patients have a HIPAA issue, they will often go first to their provider’s website in search of a complaints page. Patients’ next step is to file a complaint on OCR’s webpage. On its Contact Us page, Sentara has a link for complaints, but nothing specifically directed at HIPAA issues.
Sometimes, just making people feel like they’ve been heard is enough to keep them from escalating the complaint to OCR, Glabas said. It is also good for any compliance program to have that kind of information on hand.
Breaches need to be analyzed. If it appears that PHI was exposed in any way, it is better to own up to it and inform OCR. If OCR learns an organization knew about a breach and did not report it—or reported it incorrectly—it can consider the lack of a report willful neglect and impose a mandatory fine.
“If you have made a good faith effort to fulfill your obligations and act promptly to correct any deficiency, you likely won’t hear from them again,” said Kim C. Stanger, a healthcare lawyer and partner at Holland & Hart LLP, based in Boise, Idaho (www.hollandhart.com). “Because the failure to report may constitute willful neglect triggering mandatory penalties, I’m leery about situations where organizations don’t report a breach unless they feel pretty confident it wasn’t a reportable breach.”
OCR is so busy that if a provider files a breach report, the provider will likely never hear anything else from the government, Stanger said. “OCR is reasonable in most of these cases,” Stanger said. “They are not looking to slap fines on people.” According to Glabas, OCR investigates 2000 to 3000 breaches each year and only about a dozen or so result in fines.
That is why it is usually the “big ticket items” that result in fines, Stanger said. OCR typically steps in and investigates further when many patients are affected, organizations had previous poor conduct, or a provider knew there was a problem and failed to take any corrective action.
Sentara appears either to have not sought assistance with reporting or received bad advice, Glabas said. If a breach occurs, she recommends first seeking legal counsel or a compliance specialist and then reporting the situation to OCR. Stanger said a good privacy officer may be enough to determine the reporting requirements.
“They need to do everything they can before reporting the breach and have an expert to assist in the breach risk assessment,” Glabas said.
And if OCR does come knocking on the door, “take it seriously and jump through all of the hoops,” Stanger said. Even after OCR told Sentara they needed to amend their report, the organization failed to do so, which confounds both Stanger and Glabas. “I can’t imagine simply ignoring OCR when they tell a provider to do something,” Glabas said.
Sentara did not appear to show outright defiance of OCR. Rather, someone disagreed that the exposed data was PHI. Initially, they reported that the breach involved 8 people. According to the OCR press release, Sentara thought patient diagnoses or medical information had to be involved for the breach to be reportable.
Sentara’s breach mailings included names, account numbers, and dates of service, which are on OCR’s list of things that constitute PHI.
Sentara’s misunderstanding likely occurred because the company did not think there was “health information” on the mailers, Glabas said. Even just a name and date of service would make it “understandable someone had received care,” she said. Nearly anything that has a patient’s name on it, along with the name of the healthcare provider, shows they likely received treatment at the facility, Glabas said.
PHI can be any of the following, when found with a physical or mental health condition, treatment or healthcare payment information:
- dates including birthdate, admission and discharge
- phone number
- fax number
- email address
- Social Security number
- medical record number
- health insurance number
- provider account number
- driver’s license or state ID number
- vehicle identifiers
- medical device identifiers
- web URL
- Internet Protocol address
- other personal identifiers
Sometimes organizations over-report as well, Glabas said. Cautious organizations may rush to send a breach report to OCR when they assumed something was exposed when it was not, only to find out later that it was not a reportable breach. This is a reason Glabas recommends engaging with a compliance expert before reaching out to OCR. Either way, it may open the door to a full investigation.
“It just demonstrates to OCR that the provider may have issues in their compliance program,” she said.