OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information


Heidi Macomber reads 11/26/19 HHS OCR news update re OCR Secures $2.175M HIPAA Settlement- Sentara Hospitals allegedly failed to Properly Notify HHS of PHI Breach

This is a HIPAA update regarding an HHS OCR news release dated 11/26/2019 and represents an allegedly huge HIPAA violation. There was apparently a lack of understanding on the part of a very large hospital system on the definition of a breach and whether or not it needed to be reported to the OCR. For those that need to know, if you inadvertently send patient health information (PHI) to the wrong patient, you need to properly report it to the OCR stat, this is regardless of whether or not you were responsible for the error. Also, if you use a business associate service to handle any part of your ‘paperwork’ or services, make sure you have a business associate agreement in place.


In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.  Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

The following ten (10) Covered Entities designated as part of the Sentara Affiliated
Covered Entity, collectively referred to herein as “Sentara Hospitals”:

Sentara Norfolk General Hospital
Sentara Leigh Hospital
Sentara Careplex Hospital
Sentara Williamsburg Regional Medical Center
Sentara Virginia Beach General Hospital
Sentara Obici Hospital
Sentara Northern Virginia Medical Center
Sentara Martha Jefferson Hospital
Sentara RMH Medical Center
Sentara Princess Anne Hospital


HHS OCR News Update

The Resolution Agreement – PDF

45 C.F.R. Part 160

The Security Rule

The Privacy Rule

Submitting Notice of a Breach to the Secretary

Part 164 Security and Privacy>Subpart A General Provisions & Subpart E – Privacy of Individually Identifiable Health Information

Organizational, Policies and Procedures and Documentation Requirements – PDF

§ 164.314 – Organizational Requirements – Business Associate Contracts or Other Arrangement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s