One health system recently learned the cost of relying too heavily on the HIPAA Breach Notification Rule’s “low probability of compromise” standard when it failed to notify all affected individuals and report the HIPAA breach to the Office for Civil Rights (OCR).
HIPAA covered entities frequently struggle with determining whether an inappropriate disclosure of protected health information (PHI) rises to the level of a reportable HIPAA breach—or alternatively, whether the disclosure creates only a “low probability of compromise.” A low probability of compromise determination means the covered entity is not required to notify the affected individual(s) or OCR under HIPAA’s Breach Notification Rule.
On November 27, 2019, Sentara Hospitals (Sentara), a health system with sites of care in Virginia and North Carolina, settled with OCR for $2.175 million for failing to properly notify OCR and affected individuals of a breach of unsecured PHI. Specifically, Sentara mailed out 577 patient billing statements to the incorrect addresses. The billing statements included patient names, account numbers, and dates of services. At the time of the incident, Sentara conducted a risk assessment and determined Sentara only needed to notify eight individuals of the breach because the other disclosures did not contain a patient diagnosis, treatment information, or other medical information. That is, Sentara determined the other disclosures created only a “low risk of compromise” to the PHI and thus, notification was not required.
Sentara also did not notify OCR at the time, since Sentara treated the breach as one affecting less than 500 individuals (i.e., only eight individuals were notified). Breaches affecting 500 or more individuals must be reported to OCR within 60 days of discovery of the breach; breaches affecting less than 500 individuals must be reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. Importantly, OCR automatically launches an investigation into any entity reporting a breach affecting 500 or more individuals. Here, OCR commenced an investigation after receiving an individual’s complaint. OCR noted in its press release that even after Sentara was “explicitly advised” by OCR to report the breach, Sentara refused to do so.
In addition, during the investigation, OCR determined that Sentara did not have a business associate agreement (BAA) in place with Sentara Healthcare, the parent company that performed business associate services for Sentara. Sentara’s settlement is a reminder that any entity performing business associate services on behalf of a covered entity, even if affiliated, must have a BAA in place with the covered entity.
In addition to the $2.175 million settlement, Sentara also entered into a resolution agreement and corrective action plan which includes two years of monitoring and an ongoing requirement to provide the OCR with an evaluation of each potential unauthorized acquisition, access, use or disclosure of PHI within 15 days of such determination, whether or not the incident rises to the level of a reportable breach.
Note that Sentara was designated as an affiliated covered entity (ACE) under HIPAA. The entities in an ACE are jointly and severally liable for HIPAA violations, meaning all ten hospitals within the ACE are liable for the settlement amount, not just the hospital which sent out the incorrect mailings. While there are many benefits of functioning as an ACE (e.g., sharing HIPAA policies and procedures, one member of the ACE entering into BAAs on behalf of the other members, etc.), this settlement demonstrates one downside of being a member of an ACE.