Boston Medical Center agreed to settle the alleged HIPAA violations with OCR for $100,000. A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law's boyfriend was diagnosed with an STD. St. Joseph Health has agreed to pay OCR $2,140,500. The chain acknowledged that log books contained protected health information and implemented the required changes. Five former Methodist employees have been indicted on charges . Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan. OCR settled the case for $3,500. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. 2021 HIPAA Right of Access Enforcement Actions Other 2021 HIPAA Violation Penalties In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. A settlement of $150,000 has been reached with OCR. Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. Below are details of 47 incidents since 2012 in which workers at nursing homes and assisted-living centers shared photos or videos of residents on social media networks. OCR also determined there had been a risk analysis failure, a failure to implement Privacy Rule policies, and unique IDs had not been provided to all employees to track information system activity. Issue: Impermissible Uses and Disclosures. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. The disclosed information included details of patients visits, treatment, and insurance. Health care providers (persons and units) that provide, bill for and are paid for health care and transmit Protected Health Information (governs how individuals can use and disclose confidential patient information) in connection with certain transactions are required to comply with the privacy and security regulations established according to the Health Insurance Portability and . The case was settled for $15,000. OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. Issue: Impermissible Uses and Disclosures; Authorizations. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Read more, The Diabetes, Endocrinology & Lipidology Center, Inc, a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor childs protected health information within 30 days. When you're discussing a patient's information on the phone, you need to be in a private place where others can't hear you. Issue: Impermissible Use. The OCR investigation determined 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. The man sued the clinic, even though it had already dismissed the nurse from her job. A case study involving one nursing education program's experience with a Health Insurance Portability and Accountability Act (HIPAA) violation is used to illustrate how one nursing. A study found that the average person spends about 52 minutes per day engaging in this type of conversation. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. The revised policy was implemented in the chains' stores nationwide. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. The minimum fine is $100 per violation (up to $50,000) for Category 1 violations. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR scheduled with the complainants supervisor, who was not part of the employee's treatment team, and did not need the information for payment, health care operations, or other permissible purposes. Covered Entity: Pharmacy Chain Physician Revises Faxing Procedures to Safeguard PHI A settlement was agreed upon with OCR that included a $25,000 penalty. Issue: Impermissible Disclosure-Research. The Board can report disciplinary actions to other agencies that oversee nursing licenses. The case was settled with OCR and a 23,000 financial penalty was imposed. However, as violations of HIPAA are so severe, then CEs will choose to terminate the . Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Mental Health Center Read More, The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients protected health information on the review platform Yelp. > HIPAA Compliance and Enforcement State Hospital Sanctions Employees for Disclosing Patient's PHI But violations are also quite serious. The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. Read More, Steven A. Porter, M.D.s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients ePHI until a bill was paid. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. Nope. OCR settled the case for $55,000. The case was settled for $36,000. HMORevises Process to Obtain Valid Authorizations The case was settled and a financial penalty of $28,000 was paid. Issue: Impermissible Uses and Disclosures; Business Associates. Issue: Safeguards; Impermissible Uses and Disclosures. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. The PHI of 58,106 patients was improperly disposed of during that timeframe. Some of these were accidental. A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR provided technical assistance and closed the case, but the records were still not provided. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. To sign up for updates or to access your subscriber preferences, please enter your contact information below. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. OCR received a complaint from a patient who alleged he had been denied access to his medical records. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Failure to report a violation could have serious consequences. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. Read more, Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. Read more, Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. The case was settled for $3,500. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. Issue: Access, A patient alleged that a covered entity failed to provide him access to his medical records. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The case was settled for $6,850,000. The claim included the patients test results. Read More, Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next increase to account for inflation. Paige. There may be a viable claim, in some cases, under state laws. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. The nurse sent six text messages, warning the man's girlfriend about the disease. Covered Entity: Health Plans / HMOs Read More, OCR has announced a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. The HIPAA Right of Access violation was settled with OCR for $70,000. The device contained a range of patients ePHI, including full names, Social Security numbers, and dates of birth. Covered Entity: Private Practices The 2020 increase is largely due to OCRs HIPAA Right of Access enforcement initiative, which was launched in late 2019. The. A violation of HIPAA attributable to ignorance can attract a fine of $100 $50,000. HIPAA calls for civil fines up to $25,000 per violation to be paid by the employer, and criminal fines up to $250,000 to be paid by the employer and/or the individual. The case was settled for $25,000. Another potential HIPAA violation that's easily overlooked is discussing information over the phone. Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Covered Entity: General Hospital Read More, Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. The case was settled for $2,300,000. Scott Harris and the rest of our team at S J Harris Law will be ready to help you pursue any option available that allows you to keep your license and continue working, no matter what industry you are in. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000. A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. Read More, Brigham and Womens Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. 4) Loss or Theft of Devices. Read More, After the permanent closure of the company, paperwork containing former patients PHI was discarded by FileFax. Read More, Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. Private Practice Revises Policies and Procedures Addressing Activities Preparatory to Research Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. In order to resolve this matter to OCRs satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioners access to its electronic records system; reported the nurse practitioners conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. In addition, the employee who made the disclosure was counseled and given a written warning. One addressed the issue of minimum necessary information in telephone message content. The impermissible disclosures of PHI resulted in a $10,000 settlement. Delaware Co. June 5, 2012). Copyright 2014-2023 HIPAA Journal. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Issue: Access. They split the fines and charges into two categories: reasonable cause and willful neglect. The case was settled for $100,000. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. Covered Entity: Health Care Provider PHI had been intentionally provided to the media on three separate occasions. Despite fluctuations in their nature, there. Read More, Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. OCR settled the case for $50,000. If an offense is committed under false pretenses, the criminal penalties increase to a maximum . Private Practice Revises Process to Provide Access to Records Regardless of Payment Source Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. Activities considered preparatory to research include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. Washington, D.C. 20201 November 16, 2022. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the Notice of Enforcement Discretion, the maximum annual penalty for a violation could be capped at $25,000 for tier 1, $100,000 for tier 2, and $250,000 for tier 3. > Case Examples OCR required the covered entity to cease using the patient agreement that conditioned the entitys compliance with the Privacy Rule. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. Read More, Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. Another way to prevent HIPAA violations on social media is to get proper compliance training for your staff. Issue: Safeguards. The HIPAA Right of Access violation was settled with OCR for $160,000. Corinne S Kennedy. When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. The patient had requested a copy of her childs fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. Issue: Access. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. 4 . Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. This was OCRs first settlement under the 2019 HIPAA Right of Access enforcement initiative. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The trial court noted that HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels (ie: by filing a complaint with HHS). Maybe PHI was in the background unknowingly. OCR settled the case for $22,500. For example, any HIPAA form a patient signs needs to have a Right to Revoke clause. OCRs investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. September 05, 2017 - A Kentucky hospital was found to have acted lawfully when it fired a nurse for committing a HIPAA violation, according to the Kentucky Court of Appeals. Providence Health & Services. Covered Entity: General Hospital The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. Covered Entity: Private Practice The hospital also trained relevant staff members on the new procedures. Read More. Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. The first bar in the group of three per year represents the complaints closed in which there was no violation, the second in which there was corrective action, and the third reflects the total closures.