2072020HIPAA
This is a HIPAA update regarding an HHS OCR news release dated 11/26/2019 and represents an allegedly huge HIPAA violation. There was apparently a lack of understanding on the part of a very large hospital system on the definition of a breach and whether or not it needed to be reported to the OCR. For those that need to know, if you inadvertently send patient health information (PHI) to the wrong patient, you need to properly report it to the OCR stat, this is regardless of whether or not you were responsible for the error. Also, if you use a business associate service to handle any part of your ‘paperwork’ or services, make sure you have a business associate agreement in place.
Details
In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules. Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
The following ten (10) Covered Entities designated as part of the Sentara Affiliated
Covered Entity, collectively referred to herein as “Sentara Hospitals”:
Sentara Norfolk General Hospital
Sentara Leigh Hospital
Sentara Careplex Hospital
Sentara Williamsburg Regional Medical Center
Sentara Virginia Beach General Hospital
Sentara Obici Hospital
Sentara Northern Virginia Medical Center
Sentara Martha Jefferson Hospital
Sentara RMH Medical Center
Sentara Princess Anne Hospital
Resources
The Resolution Agreement – PDF
Submitting Notice of a Breach to the Secretary
Part 164 Security and Privacy>Subpart A General Provisions & Subpart E – Privacy of Individually Identifiable Health Information
Organizational, Policies and Procedures and Documentation Requirements – PDF
§ 164.314 – Organizational Requirements – Business Associate Contracts or Other Arrangement