Sentara Hospitals agreed to pay HHS' Office for Civil Rights $2.2 million, the agency announced Wednesday.
The fine settles alleged HIPAA violations, including Sentara Hospitals reportedly neglecting to have a business associate agreement with its parent company, Norfolk, Va.-based Sentara Healthcare.
HHS in 2017 received a complaint alleging that Sentara Hospitals—which spans 12 acute-care hospitals and more than 300 care sites in Virginia and North Carolina—had sent a patient a bill that contained another patient's health data. An OCR investigation into the incident revealed that Sentara Hospitals had mailed protected health information from 577 patients to wrong addresses, including patients' names, account numbers and dates of service.
That breach was the result of a third-party vendor, a Sentara Healthcare spokesperson wrote in an email to Modern Healthcare.
"In April 2017, a vendor who prints and mails our bills accidentally printed some patients' billing information on other patients' statements," she said. "Upon discovering the error, we took immediate action to halt bill printing and mailing and later notified the affected patients."
But Sentara Hospitals initially reported the incident as affecting only eight individuals, because the organization had thought that breach reports were only required for disclosures of patient diagnosis, treatment or other medical information, according to the OCR. The OCR said Sentara Hospitals continued to refuse to properly report the breach after the agency advised it to do so.
"HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed," OCR Director Roger Severino said in a statement. "When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."
During the course of its investigation into the mailing breach, the OCR also determined that Sentara Hospitals did not have a business associate agreement in place with its parent company, which provided services that involved transmitting protected health information, according to the OCR.
In addition to the monetary settlement, Sentara Hospitals will implement a corrective action plan, which includes HHS monitoring its HIPAA compliance for two years.
Since the 2017 incident, Sentara Hospitals has already implemented more stringent quality-control measures and required the third-party vendor to enhance its quality-control processes, according to the system spokesperson. "Sentara is committed to the security of our patients' personal information and working hard to prevent this error from happening again," she wrote.
Sentara Hospitals' settlement marks the third HIPAA fine the OCR has doled out in November.
The OCR earlier this month slapped a Texas health agency with a $1.6 million fine after exposing thousands of people's protected health information online. The agency also announced that the University of Rochester (N.Y.) Medical Center had agreed to pay $3 million in response to multiple instances of the health system reportedly failing to encrypt mobile devices.