Sentara is comprised of 12 acute care hospitals with more than 300 sites of care throughout Virginia and North Carolina.
In April of 2017, HHS received a complaint alleging that Sentara had sent a bill to an individual containing another patient’s protected health information . OCR’s investigation determined that Sentara mailed 577 patients’ PHI to wrong addresses that included patient names, account numbers, and dates of services.
“HIPAA compliance depends on accurate and timely self-reporting of breaches because patients and the public have a right to know when sensitive information has been exposed.” said Roger Severino, OCR Director. “When health care providers blatantly fail to report breaches as required by law, they should expect vigorous enforcement action by OCR.”
In addition to the monetary settlement, Sentara will undertake a corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found at