Wrong Person Receives Bill, OCR Secures $2.175 Million Fine, Healthcare Risk Management, ft. Eric Stern
Eric B. Stern, partner and co-chair of the KDV Data Privacy & Cybersecurity Practice Group, was quoted in a Healthcare Risk Management article on March 1, 2020.
Sentara Hospitals in Virginia and North Carolina agreed to take corrective actions and pay $2.175 million to settle potential HIPAA violations stemming from a complaint alleging the organization sent a bill to an individual containing another patient’s PHI.(1) OCR determined Sentara mailed 577 patients’ PHI to wrong addresses. Sentara reported the incident as a breach affecting only eight people because they concluded (incorrectly) that unless the disclosure included patient diagnosis, treatment information, or other medical information, no reportable breach of PHI had occurred. “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR,” the office reports. OCR also determined Sentara failed to put a business associate agreement in place with another company.(1)
The common thread that runs through breach-related settlements is the requirement for companies to develop policies and procedures to comply with applicable notification regulations, says Eric B. Stern, JD, partner with Kaufman Dolowich & Voluck in Woodbury, NY. In fact, he says, most of the “Corrective Action Obligations” section of the “Corrective Action Plan” relates to forming and distributing of such policies and procedures.