Tis the season for HIPAA settlements

December 17, 2019
Rachel V. Rose, JD, MBA
Rachel V. Rose, JD, MBA

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.

As the year ends, this latest HIPAA settlements serve as a reminder of what should be included in 2020’s resolutions.

As the year ends, this latest Office of Civil Rights (OCR) settlement serves as a reminder of what should be included in 2020’s resolutions.

By now, it’s no secret that OCR takes action against basic HIPAA violations. Recently, Sentara Hospitals (Sentara), which has 12 acute care hospitals, as well as over three-hundred 300 points of care throughout Virginia and North Carolina, entered into a corrective action plan and pay $2.175 million to settle potential HIPAA violations for the wrongful disclosure of protected health information, as well as failing to report breaches. “OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.”

This settlement is significant for the following reasons:

1.     The settlement amount is in the millions;

2.     The business associate agreement deficiency occurred between two separate entities of Sentara – a covered entity and Sentara Healthcare, a company related to Sentara from a corporate standpoint, which was performing business associate services (e.g., auditing, consulting);

3.     Sentara did not cooperate with OCR, which expressly relayed the requisite duty to disclose the breach; and

4.     Sentara under reported the number of individuals, whose PHI was sent to the wrong address.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director.  “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

What are the takeaways for providers? When doing a “New Year’s Resolutions List”, providers should ensure that the following HIPAA-related items are near the top:

·      Pick dates to train employees and update the training

·      Schedule an annual risk analysis

·      Ensure that all business associate agreements are current and are in place with every business associate or subcontractor

·      Set a date to review and revise policies and procedures

A little bit of preventative care at the outset can lead to greater peace of mind throughout the year through reducing a person’s risk of an OCR penalty, settlement and/or corrective action plan.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.