Skip to main content

Nixon Peabody LLP

  • People
  • Capabilities
  • Insights
  • About
Trending Topics
    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    Practices

    View All

    • Affordable Housing
    • Community Development Finance
    • Corporate & Finance
    • Cybersecurity & Privacy
    • Entertainment & Media
    • Environmental
    • Franchising & Distribution
    • Government Investigations & White Collar Defense
    • Healthcare
    • Intellectual Property
    • International Services
    • Labor, Employment, and Benefits
    • Litigation
    • Private Wealth & Advisory
    • Project Finance
    • Public Finance
    • Real Estate
    • Regulatory & Government Relations
    Industries

    View All

    • Aviation
    • Cannabis
    • Consumer
    • Energy
    • Financial Services
    • Healthcare
    • Higher Education
    • Infrastructure
    • Manufacturing
    • Nonprofit Organizations
    • Real Estate
    • Sports & Stadiums
    • Technology
    Value-Added Services

    View All

    • Alternative Fee Arrangements

      Developing innovative pricing structures and alternative fee agreement models that deliver additional value for our clients.

    • Continuing Education

      Advancing professional knowledge and offering credits for attorneys, staff and other professionals.

    • Crisis Advisory

      Helping clients respond correctly when a crisis occurs.

    • DEI Strategic Services

      Providing our clients with legal, strategic, and practical advice to make transformational changes in their organizations.

    • eDiscovery

      Leveraging law and technology to deliver sound solutions.

    • Environmental, Social, and Governance (ESG)

      We help clients create positive return on investments in people, products, and the planet.

    • Global Services

      Delivering seamless service through partnerships across the globe.

    • Innovation

      Leveraging leading-edge technology to guide change and create seamless, collaborative experiences for clients and attorneys.

    • IPED

      Industry-leading conferences focused on affordable housing, tax credits, and more.

    • Legal Project Management

      Providing actionable information to support strategic decision-making.

    • Legally Green

      Teaming with clients to advance sustainable projects, mitigate the effects of climate change, and protect our planet.

    • Nixon Peabody Trust Company

      Offering a range of investment management and fiduciary services.

    • NP Capital Connector

      Bringing together companies and investors for tomorrow’s new deals.

    • NP Second Opinion

      Offering fresh insights on cases that are delayed, over budget, or off-target from the desired resolution.

    • NP Trial

      Courtroom-ready lawyers who can resolve disputes early on clients’ terms or prevail at trial before a judge or jury.

    • Social Impact

      Creating positive impact in our communities through increasing equity, access, and opportunity.

    • Women in Dealmaking

      We provide strategic counsel on complex corporate transactions and unite dynamic women in the dealmaking arena.

    1. Home
    2. Insights
    3. Articles
    4. Health system s refusal to properly report breach to OCR leads to $2 175 million settlement

      Articles

    Article

    Health system s refusal to properly report breach to OCR leads to $2 175 million settlement

    Dec 5, 2019

    LinkedInX (Twitter)EmailCopy URL

    By Jéna Grady

    On November 27, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Sentara Hospitals (Sentara) has agreed to pay $2.175 million to OCR and adopt a corrective action plan that includes two years of monitoring to settle possible violations of HIPAA.

    On November 27, 2019, the Department of Health and Human Services Office for Civil Rights (OCR) announced Sentara Hospitals (Sentara) has agreed to pay $2.175 million to OCR and adopt a corrective action plan that includes two years of monitoring to settle possible violations of HIPAA. Sentara has 12 acute care hospitals and more than 300 sites of care in Virginia and North Carolina.

    In April 2017, OCR received a complaint that an individual received a bill from Sentara that contained PHI for another patient. Once OCR initiated an investigation to review the complaint, OCR determined that Sentara improperly disclosed PHI of 577 patients to wrong addresses. This occurred when Sentara accidentally merged these patients billing statements into mailing labels of more than 16,342 other individuals. Information included patient names, account numbers, or dates of services. Sentara, however, incorrectly concluded from its risk assessment that the improper disclosure leading to a breach actually only affected eight individuals. Specifically, Sentara wrongly believed that notification to OCR and affected individuals only had to be made if patient diagnosis, treatment information, or other medical information had been improperly disclosed.

    Even after OCR advised Sentara of its duty to properly report the breach for the remaining 569 individuals, OCR noted that “Sentara persisted in its refusal to properly report the breach…” OCR’s investigation also led to OCR finding that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performs business associate services for Sentara, until October 17, 2018.

    The penalty and corrective action plan is an important reminder to covered entities to accurately and timely report breaches to OCR. Under HIPAA, covered entities must perform comprehensive risk assessments when determining whether a breach occurred and thoroughly evaluate the probability that PHI had been compromised. Once a reportable breach has been determined, covered entities are required to notify OCR of a breach affecting 500 or more individuals without unreasonable delay and in no case later than 60 days following the breach. If a breach affects fewer than 500 individuals, a covered entity may notify OCR of such breach on an annual basis.

    To drive the reporting requirement point further, OCR Director Roger Severino stated, “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

    OCR’s press release about this settlement can be found here.

    Practices

    HealthcareHealth Information - Privacy, Security & Data Sharing
    The foregoing has been prepared for the general information of clients and friends of the firm. It is not meant to provide legal advice with respect to any specific matter and should not be acted upon without professional counsel. If you have any questions or require any further information regarding these or other related matters, please contact your regular Nixon Peabody LLP representative. This material may be considered advertising under certain rules of professional conduct.

    Subscribe to stay informed of the latest legal news, alerts, and business trends.Subscribe

    • People
    • Capabilities
    • Insights
    • About
    • Locations
    • Events
    • Careers
    • Alumni
    • Cookie Preferences
    • Privacy Policy
    • Terms of Use
    • Accessibility Statement
    • Statement of Client Rights
    • Purchase Order Terms & Conditions
    • Nixon Peabody International LLC
    • PAL
    © 2025 Nixon Peabody. All rights reserved