Not Taking the Advice of the OCR Could Prove Costly

On November 27, 2019 the Office for Civil Rights (OCR) issued a press release detailing a settlement agreement with Sentara Hospitals (Sentara) in the amount of $2.175 million. The matter that was the basis for the settlement started somewhat innocently when Sentara accidentally sent a bill to someone that contained the protected health information of someone else. In fact, the OCR investigation revealed Sentara actually mailed 577 patients’ protected health information to the wrong person. The interesting part of this whole thing is Sentara’s response and that is what resulted in the opportunity for Sentara to pay over $2 million.

Sentara initially reported the incident as a breach affecting just 8 people; Sentara took the position that since no diagnosis, treatment information or other medical information was included in the misdirected mailings there was not a reportable breach. Even after being told by the OCR, the very federal agency that enforces HIPAA, they had a duty and an obligation to report the breach, Sentara refused to do so. They didn’t just refuse one time, the press release states “Sentara persisted in its refusal to properly report the breach.” (emphasis added).

I can only speculate as to Sentara’s motivation for refusing to report the breach even after being specifically told by the OCR to do so. My guess is they didn’t want the negative publicity that comes with any large breach. A breach that impacts over 500 people must be reported to the OCR, the individual and through the media. In addition, by law, the OCR must investigate any breach impacting over 500 people. My suspicion is Sentara wanted to do everything they could to keep the breach under that 500 person threshold, even to the extent of openly defying the directions of the OCR. We call that the “this is my story and I am sticking to it” approach.

Some providers will work very hard to not call a disclosure a breach, especially when it involves over 500 people. From slanting the 4 factor risk assessment to trying to say the information disclosed does not constitute PHI, like Sentara, it is not uncommon to see providers manipulate the process to get the answer they want, that being, no reportable breach. I am sure had Sentara properly reported the breach from the very start, cooperated with the OCR investigation and agreed to implement a new process for mailing information to patients, the OCR would have issued a much smaller fine and been on their way, but the refusal to report the breach, even after being told to do so by the OCR gave Sentara the opportunity to write a much bigger check. The moral of the story is if there is a breach, be honest about the scope, report it and implement strategies to ensure it doesn’t happen again and the agency will be much better in the long run.