Privacy Officer's Roundtable

Protected Health Information

  • 1.  Protected Health Information

    Posted 11-28-2019 08:28 AM

    Below is an enforcement action from OCR.  Some of the disclosures included patient names, account numbers, and dates of services, but were not included in the breach report because medical information wasn't included.

    I think there was a previous discussion on this forum (which I couldn't find) which mentioned that medical information needed to be included with the patient identifiers in order for the identifiers to be considered protected health information.  Unless I misunderstood the previous posts (which is quite possible!) or there is more to the story below, my interpretation is that if OCR is saying that medical information does not need to be included in order to constitute a breach, then medical information does not need to be included with patient identifiers in order for the identifiers to be considered protected health information.

    Am I not remembering the previous discussion correctly, or am I mis-interpreting?

    Happy Thanksgiving to you all!  I am very thankful for these discussions because they help me to learn and consider things from a different perspective!

    November 27, 2019

    OCR Secures $2.175 Million HIPAA Settlement after Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information

     In an agreement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS), Sentara Hospitals (Sentara) have agreed to take corrective actions and pay $2.175 million to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification and Privacy Rules.  Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.

     In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient's protected health information (PHI). OCR's investigation determined that Sentara mailed 577 patients' PHI to wrong addresses that included patient names, account numbers, and dates of services.  Sentara reported this incident as a breach affecting 8 individuals, because Sentara concluded, incorrectly, that unless the disclosure included patient diagnosis, treatment information or other medical information, no reportable breach of PHI had occurred.  Sentara persisted in its refusal to properly report the breach even after being explicitly advised of their duty to do so by OCR. OCR also determined that Sentara failed to have a business associate agreement in place with Sentara Healthcare, an entity that performed business associate services for Sentara.

     "HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed." said Roger Severino, OCR Director.  "When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR."

    In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at

    See the source image

    Compliance/Ethics & Privacy Director
    2020 SCCE Membership

  • 2.  RE: Protected Health Information

    Posted 11-29-2019 08:23 AM
    I'm not understanding this failure to report all as a breach. It's a bill. Presumably it has the name of the hospital system on the letterhead and envelope. Then we have the patient's name, dates of service and an account name. Seems like we're identifying 500 people as patients of Sentara to me, but these are hard to Monday morning quarterback not having all of the details. To answer you question do I think you also need diagnosis information to constitute PHI? No, the information outlined is PHI. Now do the loproco. May the addition of diagnosis information sway your analysis? That's a different question. Depends upon the risk tolerance of your organization.

    Brenda Manning J.D., C.H.C., C.H.P.C.
    Compliance Director, Privacy
    Carilion Administrative Services Building, Ste. 1201
    213 S. Jefferson Street
    Roanoke, VA 24011
    (540) 224-5757
    Fax: (540) 510-224-5787
    Integrity Help Line Compliance: (844) 732-6232

    Our Mission: Improve the health of the communities we serve.

    The views expressed herein are my own and do not represent those of my employer. They are not meant to constitute legal advice or create an attorney-client relationship.

    2020 SCCE Membership

  • 3.  RE: Protected Health Information

    Posted 11-29-2019 09:54 AM
    I'm right there with you...even with just the details we've read...this is clearly a breach and I don't think it is a bad thing to share that someone simply make an error in their conclusion of this incident.  Unfortunately...and costly as well.

    ► We don't fail unless we quit! ◄
    --------Frank Ruelas---------

    2020 SCCE Membership

  • 4.  RE: Protected Health Information

    Posted 11-29-2019 06:27 PM
    Hi Cindra

    This issue stems back to the understanding of what constitutes PHI.  Remember, PHI does not have to include a medical diagnosis, or clinical data.  That is where some folks get tripped up.

    Hernan Serrano
    Director of Compliance
    St Louis,Mo

    2020 SCCE Membership

  • 5.  RE: Protected Health Information

    Posted 12-02-2019 10:32 AM
    I am constantly reminding people here that PHI is more than just claims. Enrollment information, including coverage, billing, and payment, it is all PHI when you have an individual attached.

    Carl Russell
    Compliance Analyst, CHPC
    Delta Dental of Idaho

    Anything I say is my sole opinion and not of my company.

    2020 SCCE Membership