October 1, 2020

Volume X, Number 275

October 01, 2020

Subscribe to Latest Legal News and Analysis

September 30, 2020

Subscribe to Latest Legal News and Analysis

September 29, 2020

Subscribe to Latest Legal News and Analysis

September 28, 2020

Subscribe to Latest Legal News and Analysis

HIPAA: Failure to Report Breach Costs Hospital $2.175 Million

One health system recently learned the cost of relying too heavily on the HIPAA Breach Notification Rule’s “low probability of compromise” standard when it failed to notify all affected individuals and report the HIPAA breach to the Office for Civil Rights (OCR). 

HIPAA covered entities frequently struggle with determining whether an inappropriate disclosure of protected health information (PHI) rises to the level of a reportable HIPAA breach—or alternatively, whether the disclosure creates only a “low probability of compromise.” A low probability of compromise determination means the covered entity is not required to notify the affected individual(s) or OCR under HIPAA’s Breach Notification Rule. 

On November 27, 2019, Sentara Hospitals (Sentara), a health system with sites of care in Virginia and North Carolina, settled with OCR for $2.175 million for failing to properly notify OCR and affected individuals of a breach of unsecured PHI. Specifically, Sentara mailed out 577 patient billing statements to the incorrect addresses. The billing statements included patient names, account numbers, and dates of services. At the time of the incident, Sentara conducted a risk assessment and determined Sentara only needed to notify eight individuals of the breach because the other disclosures did not contain a patient diagnosis, treatment information, or other medical information. That is, Sentara determined the other disclosures created only a “low risk of compromise” to the PHI and thus, notification was not required. 

Sentara also did not notify OCR at the time, since Sentara treated the breach as one affecting less than 500 individuals (i.e., only eight individuals were notified). Breaches affecting 500 or more individuals must be reported to OCR within 60 days of discovery of the breach; breaches affecting less than 500 individuals must be reported to OCR within 60 days of the end of the calendar year in which the breach was discovered. Importantly, OCR automatically launches an investigation into any entity reporting a breach affecting 500 or more individuals. Here, OCR commenced an investigation after receiving an individual’s complaint. OCR noted in its press release that even after Sentara was “explicitly advised” by OCR to report the breach, Sentara refused to do so.   

In addition, during the investigation, OCR determined that Sentara did not have a business associate agreement (BAA) in place with Sentara Healthcare, the parent company that performed business associate services for Sentara.  Sentara’s settlement is a reminder that any entity performing business associate services on behalf of a covered entity, even if affiliated, must have a BAA in place with the covered entity.  

In addition to the $2.175 million settlement, Sentara also entered into a resolution agreement and corrective action plan which includes two years of monitoring and an ongoing requirement to provide the OCR with an evaluation of each potential unauthorized acquisition, access, use or disclosure of PHI within 15 days of such determination, whether or not the incident rises to the level of a reportable breach.   

Note that Sentara was designated as an affiliated covered entity (ACE) under HIPAA. The entities in an ACE are jointly and severally liable for HIPAA violations, meaning all ten hospitals within the ACE are liable for the settlement amount, not just the hospital which sent out the incorrect mailings. While there are many benefits of functioning as an ACE (e.g., sharing HIPAA policies and procedures, one member of the ACE entering into BAAs on behalf of the other members, etc.), this settlement demonstrates one downside of being a member of an ACE. 

© 2020 Foley & Lardner LLPNational Law Review, Volume IX, Number 339


About this Author

Jennifer Hennessy, Foley Lardner Law Firm, Privacy Security and Healthcare Attorney

Jennifer J. Hennessy is a privacy and security and health care regulatory attorney with Foley & Lardner LLP. Her practice includes advising businesses on compliance with state and federal data privacy and security laws. She assists covered entities and business associates in complying with the HIPAA Privacy and Security Rules, and also advises businesses and individuals on compliance with state data privacy laws and federal law 42 C.F.R. Part 2, Confidentiality of Alcohol and Drug Abuse Treatment Records. She frequently guides clients through data incident management...

Kelly Thompson, Foley Lardner, Healthcare lawyer

Kelly Thompson is an associate and health care business lawyer with Foley & Lardner LLP. Her practice focuses on legal services for corporations, hospitals, physician practices, and other health care providers in the areas of business law and health regulatory compliance with a focus on federal and state fraud and abuse and licensure laws. 

Ms. Thompson has assisted health care providers on various health and business law issues, including federal and state privacy laws, criminal and civil fraud and abuse laws, HIPAA, employment law, corporate law, billing and coding compliance, and legislative updates. Her experience includes drafting, revising, and negotiating contracts, drafting compliance memorandums, policies and procedures, employee handbook and training materials, preparing licensure applications, and corresponding with health care agencies on behalf of clients. 


Ms. Thompson received her law degree from Florida State University College of Law (J.D., cum laude, 2013), where she was a member of Phi Delta Phi, Student Bar Association, and American Bar Association. During law school, she served as a student attorney for the Medical Legal Partnership assisting low-income individuals with obtaining disability benefits and immigration visas. Ms. Thompson received her bachelor’s degree in marketing from Florida State University (B.S., magna cum laude, 2010). Ms. Thompson was a member of the FSU Honors program, President’s List, Dean’s List, and Florida Bright Futures Medallion and 20th Century Scholarship Recipient.