July 3, 2020

Volume X, Number 185

July 03, 2020

Subscribe to Latest Legal News and Analysis

July 02, 2020

Subscribe to Latest Legal News and Analysis

July 01, 2020

Subscribe to Latest Legal News and Analysis

Misdirected Hospital Bills Lead to $2.175 Million HIPAA Settlement

On November 27, 2019 the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a $2.175 million dollar settlement with a hospital system to resolve alleged violations of HIPAA’s Breach Notification Rule and Privacy Rule. The settlement is noteworthy as it represents OCR’s fourth HIPAA settlement in excess of $1 million dollars in just over a month (see our coverage of recent enforcement actions here and here).

The settlement with a 10 hospital system arises from a complaint filed in April 2017 by an individual who claimed that the system had sent a bill to the complainant that contained another patient’s PHI. According to OCR, an investigation subsequently showed that billing statements for 577 patients had been improperly merged with different guarantor’s mailing labels, and thus resulted in the improper disclosure of the PHI of those 577 individuals. OCR also alleges that after conducting a risk assessment, the hospital system only provided breach notification to eight affected individuals. In its announcement of the settlement, OCR states that the system “incorrectly” concluded that only disclosures that include a patient diagnosis, treatment information or other medical information are reportable, and that the system had not properly reported the breach even after being advised by OCR of the duty to do so.

OCR’s investigation further indicated that the parent corporation of the hospital system provided business associate services to the subsidiary hospitals, but did not have a business associate agreement in place.

In addition to the $2.175 million monetary payment, as part of the settlement the hospital system agreed to enter into a two-year corrective action plan (CAP). The CAP requires the system to develop written policies and procedures for Breach Notification Rule compliance for approval by OCR. The approved policies and procedures must be distributed to workforce members, who in turn are required to certify that they have read, understood, and will abide by the policies and procedures. The CAP also requires the system to submit an implementation report to OCR, and then annual reports, that include information on any reportable events of non-compliance with the CAP.

This settlement provides an important reminder to hospital systems of the broad scope of the Breach Notification Rule, and the significant potential regulatory penalties for non-compliance with HIPAA when carrying out billing activities. Hospital systems structured to allow a parent corporation to provide certain administrative tasks on behalf of subsidiary hospitals would also be well advised to ensure that any business associate services furnished to covered entity subsidiaries by the parent (or other system entities) are addressed in a business associate agreement.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume IX, Number 337


About this Author

Conor Duffy Cybersecurity Attorney

Conor Duffy is a member of the firm's Health Law Group and its Data Privacy + Cybersecurity Team. He advises hospitals, physician groups, community providers, and other health care entities on general corporate matters and health law issues. He also counsels clients on what measures are needed to safeguard data and patient information.


Conor provides legal counsel to health care clients on various regulatory matters, such as Medicare and Medicaid program compliance, federal fraud and abuse laws, and the Emergency Medical Treatment & Labor Act...