#Privacy: Sentara Hospitals to pay $2.175M fine over HIPAA violation

An American health services provider, Sentara Hospitals, has agreed to pay a fine of $2.175 million to settle HIPAA violations.

In April 2017, the Department of Health and Human Services (HHS) received a complaint regarding Sentara Hospitals, whereby the complainant had received a bill from Sentara which contained the protected health information (PHI) of another patient. 

Following an investigation by the Office for Civil Rights (OCR), it was discovered that Sentara had merged 577 patient billing statements into the mailing labels of 16,342 different guarantors – thus exposing the PHI  of 577 patients. 

The exposed information included patient names, account numbers and dates of services. 

HHS stated that Sentara reported the incident as a breach impacting only eight individuals, due to incorrectly concluding that “unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.”

A  spokesperson from HHS said: “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR.”

In addition, it was also determined by OCR that Sentara did not have a business associate agreement put in place with affiliate Sentara Healthcare until October 17, 2018 – well after the breach. 

Subsequently, Sentara was found to violate Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules. Sentara has agreed to pay the $2.175 million fine and to take corrective action. 

OCR director, Roger Severino said:

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.

“When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/