HIPAA: Failure to Report Breach Costs Hospital Millions

One health system recently learned the cost of relying too heavily on the HIPAA Breach Notification Rule’s “low probability of compromise” standard when it failed to notify all affected individuals and report the HIPAA breach to the Office for Civil Rights (OCR).

HIPAA covered entities frequently struggle with determining whether an inappropriate disclosure of protected health information (PHI) rises to the level of a reportable HIPAA breach—or alternatively, whether the disclosure creates only a “low probability of compromise.” A low probability of compromise determination means the covered entity is not required to notify the affected individual(s) or OCR under HIPAA’s Breach Notification Rule.

On November 27, 2019, Sentara Hospitals (Sentara), a health system with sites of care in Virginia and North Carolina, settled with OCR for $2.175 million for failing to properly notify OCR and affected individuals of a breach of unsecured PHI. Specifically, Sentara mailed out 577 patient billing statements to the incorrect addresses. The billing statements included patient names, account numbers, and dates of services. At the time of the incident, Sentara conducted a risk assessment and determined Sentara only needed to notify eight individuals of the breach because the other disclosures did not contain a patient diagnosis, treatment information, or other medical information. That is, Sentara determined the other disclosures created only a “low risk of compromise” to the PHI and thus, notification was not required.

Is Hyperconvergence Helpful for All Healthcare Organizations?

Hyperconverged infrastructure combines storage, computing and networking into a single system. This architecture, compared with traditional data centers, makes HCI cheaper to operate, easier to manage, more scalable and more agile. It’s no wonder that enterprises in just about every industry are migrating to HCI — and healthcare is no exception.

Transparency Market Research predicts the healthcare industry’s share of the HCI market to have a compound annual growth rate of nearly 42 percent through 2025.

This shift is partly the byproduct of two trends: the growing adoption of digital information storage systems and an increasing use of smartphone-based technologies for patient interaction, the firm says. For example, healthcare vendors such as Epic have spent the past few years making it easier to migrate applications such as electronic health records to an HCI environment.

HCI’s benefits to healthcare are still being realized, but the technology is worth the consideration of IT teams hoping to simplify their workloads, enhance performance and reduce system maintenance — even though its advantages might not be immediately obvious.

For instance, one hospital migrated its picture archiving and communication system (PACS) to a Nutanix HCI cluster. “PACS might seem like an odd candidate for virtualization,” says Logan Ayers, CDW principal inside solution architect for data centers. “But for them, eliminating the expense of owning and operating storage arrays made it worth the effort.”