Sentara in $2.175 Million Settlement for Improper HIPAA Breach Reporting

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced on November 27 that Sentara Healthcare agreed to pay $2.175 million to settle allegations that it failed to properly report a breach of protected health information. Sentara operates 12 acute care hospitals and provides other types of care at more than 300 locations in Virginia and North Carolina.

Sentara sent 577 mailings, including patient names, account numbers, and dates of service, to the wrong addresses. When it reported the breach to OCR, however, Sentara mistakenly claimed that only eight patients were affected because most of the mailings did not include a diagnosis or other medical information. Even after OCR informed Sentara that all 577 improper mailings were reportable, Sentara “persisted in its refusal to properly report the breach.” OCR also discovered that Sentara did not have a business associate agreement in place with Sentara Healthcare, one of its service providers.

In addition to the payment, Sentara’s Resolution Agreement included a two-year corrective action plan requiring, among other things, that it improve its written HIPAA policies and procedures.