Sentara HIPAA Breach Teaches Us About PHI
One costly error, two big lessons learned.
We all make mistakes. Thankfully, few of us ever make a mistake that costs us $2.175 million. That was the price Sentara Hospitals will have to pay for their mistake: a mail merge error that led to numerous hospital bills being sent out to the wrong patients — a very expensive HIPAA breach.
But Sentara’s error is not as straightforward as simply releasing a patient’s protected health information (PHI) by mistake. It raises issues about what constitutes a patient’s PHI, how potential breaches should be reported, and about the formal relationship that a covered entity needs to have with a business associate acting on its behalf.
What, Exactly, Did Sentara Do Wrong?
The breach was first discovered in April 2017, when a patient who received billing information intended for another patient complained to the Department of Health and Human Services (HHS). The complaint immediately led the HHS’s Office for Civil Rights (OCR) to launch a formal investigation, which found that Sentara had compromised the PHI of 577 people.
Sentara eventually acknowledged the breach, but they claimed only eight patients had been affected in total. They based their figure on the belief that the bills did not contain details of patient diagnoses, treatment plans, or other related medical information. When the OCR pointed out to Sentara that this was incorrect, “Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR,” according to HHS’s press release about the incident and its resolution.
This breach of unsecured PHI formed just the first part of the OCR investigation. The second part involved the relationship between Sentara Hospitals and their parent company, Sentara Healthcare. According to the HHS press release, “Sentara failed to have a business associate agreement [BAA] in place with Sentara Healthcare, an entity that performed business associate services for Sentara.”
What Can We Learn From the Sentara Resolution?
Essentially, the whole episode could have been averted if Sentara had (a) known what constitutes PHI and (b) who can, and who cannot, share that information.
HHS lists 18 identifiers that make up a patient’s PHI when they are linked to a patient’s health data:
- Geographic subdivisions smaller than a state
- Dates, except year
- Telephone numbers
- Vehicle identifiers and serial numbers including license plates
- Fax numbers
- Device identifiers and serial numbers
- Email addresses
- Web URLs
- Social Security numbers
- Internet protocol addresses
- Medical record numbers
- Biometric identifiers (i.e. retinal scan, fingerprints)
- Health plan beneficiary numbers
- Full face photos and comparable images
- Account numbers
- Any unique identifying number or code
- Certificate/license numbers
Interestingly, in this case, not understanding this information created a double problem for Sentara. In the first place, Sentara did not report the breach when it happened, which suggests that they did not know the initial mailings contained three PHI identifiers — patient names, account numbers, and dates of services, according to the OCR investigation — and that the mailings had consequently breached HIPAA policy.
Secondly, in their belief the mailings did not breach HIPAA because they did not include patient diagnoses, treatment information, or other medical information, Sentara showed a fundamental misunderstanding of HIPAA regulations. A breach occurs not when a certain kind of medical information has been wrongly released, but when that information can be connected to a specific individual via one or more of the PHI identifiers.
Why Business Associate Agreements are Good Business
Finally, the HIPAA Privacy Rule regarding Covered Entities and Business Associates states, “If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that … requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information.”
Sentara Hospitals did not enter into a BAA with Sentara Healthcare until Oct. 17, 2018 — 18 months after the OCR began its investigation of the breach. Prior to the breach and even during the investigation, Sentara Hospitals had been allowing Sentara Healthcare “to create, receive, maintain, or transmit PHI on their behalf and to provide services involving the disclosure of PHI without obtaining satisfactory assurances” that Sentara Healthcare was operating under HIPAA privacy guidelines while performing work for Sentara Hospitals.
For complete details, read HHS’s final resolution agreement with Sentara.