On November 27, 2019 the U.S. Department of Health & Human Services Office for Civil Rights (OCR) announced a $2.175 million dollar settlement with a hospital system to resolve alleged violations of HIPAA’s Breach Notification Rule and Privacy Rule. The settlement is noteworthy as it represents OCR’s fourth HIPAA settlement in excess of $1 million dollars in just over a month (see our coverage of recent enforcement actions here and here).

The settlement with a 10 hospital system arises from a complaint filed in April 2017 by an individual who claimed that the system had sent a bill to the complainant that contained another patient’s PHI. According to OCR, an investigation subsequently showed that billing statements for 577 patients had been improperly merged with different guarantor’s mailing labels, and thus resulted in the improper disclosure of the PHI of those 577 individuals. OCR also alleges that after conducting a risk assessment, the hospital system only provided breach notification to eight affected individuals. In its announcement of the settlement, OCR states that the system “incorrectly” concluded that only disclosures that include a patient diagnosis, treatment information or other medical information are reportable, and that the system had not properly reported the breach even after being advised by OCR of the duty to do so.

OCR’s investigation further indicated that the parent corporation of the hospital system provided business associate services to the subsidiary hospitals, but did not have a business associate agreement in place.

In addition to the $2.175 million monetary payment, as part of the settlement the hospital system agreed to enter into a two-year corrective action plan (CAP). The CAP requires the system to develop written policies and procedures for Breach Notification Rule compliance for approval by OCR. The approved policies and procedures must be distributed to workforce members, who in turn are required to certify that they have read, understood, and will abide by the policies and procedures. The CAP also requires the system to submit an implementation report to OCR, and then annual reports, that include information on any reportable events of non-compliance with the CAP.

This settlement provides an important reminder to hospital systems of the broad scope of the Breach Notification Rule, and the significant potential regulatory penalties for non-compliance with HIPAA when carrying out billing activities. Hospital systems structured to allow a parent corporation to provide certain administrative tasks on behalf of subsidiary hospitals would also be well advised to ensure that any business associate services furnished to covered entity subsidiaries by the parent (or other system entities) are addressed in a business associate agreement.