Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. I personally would not expect a student to fully understand these things; correction and education would be in order rather than exaggerating the offenses to the level of HIPAA violation. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the systems organized health care arrangement impermissibly accessed the medical records of her ex-husband. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. The records were provided within days of OCR intervening. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan. November 16, 2022. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Memphis Commercial Appeal. Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. Read More, Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her sons medical records onMarch 22, 2020, but the records were not provided until October 10, 2020. The HIPAA Right of Access violation was settled with OCR for $70,000. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rules standard for such actions. Covered Entity: Mental Health Center The trial court noted that HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels (ie: by filing a complaint with HHS). The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. Read More, The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. A good example of this is a laptop that is stolen. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Covered Entity: Health Plans / HMOs OCR imposed a civil monetary penalty of $100,000. Issue: Impermissible Uses and Disclosures. OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. The containers had labels that included the PHI of patients. 164.308(a)(1)(ii)(B). A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. HIPAA Advice, Email Never Shared A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. Read More, A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. Read More, Great Expressions Dental Center of Georgia, P.C. Read More, Wise Psychiatry is a small provider of psychiatric services in Colorado. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. Covered Entity: Health Care Provider / General Hospital > All Case Examples, Hospital Implements New Minimum Necessary Polices for Telephone Messages Nancy Brent replies: Dear Paige: The Health Insurance Portability and Accountabilty Act requires that all covered entities (including nurses, whether they work in a hospital or other healthcare setting) protect against unauthorized disclosure of a patient's personally identifiable health information. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center. A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Providence Health & Services. Covered Entity: General Hospital Issue: Safeguards. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. A settlement of $150,000 has been reached with OCR. In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient. Covered Entity: Private Practice Health care providers (persons and units) that provide, bill for and are paid for health care and transmit Protected Health Information (governs how individuals can use and disclose confidential patient information) in connection with certain transactions are required to comply with the privacy and security regulations established according to the Health Insurance Portability and . Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. A state health sciences center disclosed protected health information to a complainant's employer without authorization. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. Fresenius Medical Care North America settled the case for $3,500,000. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. The patient had requested a copy of her childs fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. Pharmacy Chain Enters into Business Associate Agreement with Law Firm Read More, A patient of University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. The device contained a range of patients ePHI, including full names, Social Security numbers, and dates of birth. The. Unprotected storage of private health information can be an issue. Covered Entity: Pharmacies Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. Covered Entity: Outpatient Facility Read More, An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Covered Entity: Health Plans As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have a need to know., Private Practice Ceases Conditioning of Compliance with the Privacy Rule The ePHI of 62,500 patients was exposed. To resolve this matter, the covered entity refunded the $100.00 records review fee., Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety The directory contained files that included the protected health information (PHI) of 307,839 individuals. Read More, WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. MAPFRE has agreed to a $2,200,000 settlement with OCR. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Among other corrective actions to resolve the specific issues in the case, OCR required the outpatient facility to: revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retrain its entire staff on the new policies and procedures; log the disclosure of the patient's PHI for accounting purposes; and send the patient a letter apologizing for the impermissible disclosure. Nope. A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. Read More, The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients protected health information on the review platform Yelp. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. Read More, Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. Moreover, the entity was required to train of all staff on the revised policy. Issue: Safeguards. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction of the municipal social service agency. But violations are also quite serious. It took 8 months from the date of the first request for the records to be provided. Aim: This study aimed to evaluate nurses' ability to evaluate ethical violations to hypothetical case studies involving social media use. In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. The four categories range from unknowing violations to willful disregard of HIPAA rules. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. The case was settled with OCR for $300,640. OCR settled the case for $3,500. OCR received a complaint from a patient who alleged AIMS refused to give her a copy of her medical records. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record. Covered Entity: General Hospital After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patients authorization, copies of the patients skull x-ray as well as a description of the complainants medical condition. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More, Family Dental Care, P.C. Paige. A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. Some of these were accidental. The case was settled for $5,100,000. Read More. The case was settled for $65,000. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. The investigation confirmed there had been a HIPAA Right of Access failure. Memorial Hermann Health System has agreed to pay OCR $2,400,000. A contested hearing took place, and the board found the nurse: This was the case in 2019, when a number of healthcare professionals accessed a particular actor's medical records after the actor was part of a potential hoax hate-crime, which became headline news. Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. Read More, Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. OCR determined its compliance program had been in disarray for several years. A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. Your Privacy Respected Please see HIPAA Journal privacy policy. Here are the top five misconceptions about FERPA and HIPAA that I regularly address in my work with schools. Toll Free Call Center: 1-800-368-1019 It took 5 months from the initial request for the complete set of medical records to be provided. Covered Entity: Private Practices Private Practice Revises Process to Provide Access to Records The maximum penalty for a single breach is $1.5 million per year. When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. 3. The HIPAA Right of Access violation was settled with OCR for $30,000. Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. It took 564 days from the initial request for all of the records to be provided to the patient. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation. The revised policies are applicable to all individual stores in the pharmacy chain. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. the practice settled the case with OCR for $80,000. Read More, OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. Read More, Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Violating HIPAA law can result in fines, job termination, loss of licensure, and criminal charges. Talking about a patient in a public area where others can hear you is a HIPAA violation. > HIPAA Home Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. Read More, Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. The case was settled for $10,000. The HIPAA Right of Access violation was settled with OCR for $32,150. Employees also were trained to review registration information for patient contact directives regarding leaving messages. Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. 200 Independence Avenue, S.W. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. Delaware Co. June 5, 2012). Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. OCR settled the case for $55,000. Read More, After the permanent closure of the company, paperwork containing former patients PHI was discarded by FileFax. Issue: Notice. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. Read More, Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations.