An apparent lack of understanding of what defines Protected Health Information (PHI) has cost one hospital system $2.175 million in fines to the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS). This week the OCR announced that Sentara Hospitals have agreed to pay the civil monetary penalty to settle potential HIPAA violations and to take corrective actions that include two years of monitoring. Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

In 2017, the OCR received a complaint from an individual who alleged Sentara sent a bill to a patient containing the protected health information of another patient. Upon further investigation by the OCR, it was discovered that Sentara had actually mailed the medical bills of 577 patients to wrong addresses; the letters included patient names, account numbers, and dates of services.

Because the correspondence did not include patient diagnosis, treatment information or medical data, Sentara believed no reportable breach of PHI had occurred. The OCR refuted this claim and explicitly advised Sentara of its duty to properly report the breach to HHS. Sentara’s initial error in mailing to the wrong addresses was only further compounded by failure to recognize a breach had occurred and to report it.

“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed,” said OCR Director Roger Severino in a statement. “When healthcare providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”

Furthermore, the OCR investigation revealed that Sentara failed to apply a business associate agreement with Sentara Healthcare, a covered entity that performed business associate services involving the receipt, maintenance, disclosure of PHI for its member covered entities for the health system.

What is PHI?

PHI is information that can uniquely identify a patient. Not all elements of PHI are obvious but they are distinctly identified by the rules. Here is a list of the 18 identifiers that make health information PHI.

1. Names
2. Dates, except year
3. Telephone numbers
4. Geographic data
5. FAX numbers
6. Social Security numbers
7. Email addresses
8. Medical record numbers
9. Account numbers
10. Health plan beneficiary numbers
11. Certificate/license numbers
12. Vehicle identifiers and serial numbers including license plates
13. Web URLs
14. Device identifiers and serial numbers
15. Internet protocol addresses
16. Full face photos and comparable images
17. Biometric identifiers (i.e. retinal scan, fingerprints)
18. Any unique identifying number or code

Beyond memorizing this list, how can you be sure that your healthcare organization is HIPAA compliant and avoid a similar very costly misunderstanding? Contact us today for more information at 1-877-218-7707 or info@privaplan.com.