A radiology practice that interpreted a hospital patients imaging tests submitted a workers compensation claim to the patients employer. This was OCRs first settlement under the 2019 HIPAA Right of Access enforcement initiative. The case was settled for $65,000. HIPAA Advice, Email Never Shared OCRs investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospitals OR schedule contained information about the complainants upcoming surgery. The device contained a range of patients ePHI, including full names, Social Security numbers, and dates of birth. Nurses HIPAA Violation Examples The list of potential HIPAA violations by nurses is long so the most commonly experienced nurse HIPAA violations are listed below: Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The HIPAA Right of Access violation was settled with OCR for $65,000. Issue: Access. HIPAA violations are not uncommon. However, the court also legitimized private cause for action in HIPAA lawsuits, which could set a precedent for HIPAA related legal action. Issue: Access, A patient alleged that a covered entity failed to provide him access to his medical records. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. Therefore you should assess employees security awareness as part of a risk analysis to see if more training is required. The case was settled for $25,000. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. Content created by Office for Civil Rights (OCR) Content last reviewed December 23, 2022. It did not change the maximum penalty for a violation, which means that the maximum penalty for a tier 1 violation is higher than the annual penalty cap, but for as long as the notice of enforcement discretion is in effect, the maximum penalty per year applies. Issue: Conditioning Compliance with the Privacy Rule. Yes. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Covered Entity: Pharmacies Large Health System Restricts Provider's Use of Patient Records Everything You Need to Know About a HIPAA Violation It took multiple requests and almost 5 months for all of the requested medical records to be provided. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Delaware Co. June 5, 2012). The case was settled for $1,250,000. Dentist Revises Process to Safeguard Medical Alert PHI A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. Private Practice Provides Access to All Records, Regardless of Source Issue: Access. What Happens When Nurses Violate HIPAA | S J Harris Law Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. Covered Entity: Health Care Provider OCR investigated and found multiple potential HIPAA violations such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. Covered Entity: Private Practice Read More, OCR investigated a complaint from a mother who requested a copy of her sons medical records from St. Josephs Hospital and Medical Center but had not been provided with a complete set of the records. 4 . Copyright 2014-2023 HIPAA Journal. Social media use and ethics violations: Nurses' responses to A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. The case was settled for $3 million. OCR required the covered entity to cease using the patient agreement that conditioned the entitys compliance with the Privacy Rule. An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. OCR intervened and closed the case but received a second complaint 6 months after the first stating the records had still not been provided. Covered Entity: Private Practices HIPAA requires nurses and other health care professionals to report any violations they witness, even if they recognize it was accidental. Memorial Hermann Health System has agreed to pay OCR $2,400,000. To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Departments patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations. A good example of this is a laptop that is stolen. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. A settlement of $150,000 has been reached with OCR. The disclosed information included details of patients visits, treatment, and insurance. 13 hospital workers fired for snooping in Britney Spears' medical Hospital workers disciplined for viewing patients' genitals | CNN An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. 2021 HIPAA Right of Access Enforcement Actions Other 2021 HIPAA Violation Penalties Examples of HIPAA Violations by Nurses - HIPAA Coach Read More, The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. Prison Time for Scheme to Frame Nurse for HIPAA Violations The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. Radiologist Revises Process for Workers Compensation Disclosures The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. State Hospital Sanctions Employees for Disclosing Patient's PHI Disciplinary action taken by the Massachusetts Board of Registration in After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. OCR received a complaint from a patient who had not been provided with a copy of his medical records. Below are details of 47 incidents since 2012 in which workers at nursing homes and assisted-living centers shared photos or videos of residents on social media networks. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . The PHI of 58,106 patients was improperly disposed of during that timeframe. Read More, Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. The containers had labels that included the PHI of patients. Violations related to HIPAA laws have serious consequences, including job loss and other penalties. There may be a viable claim, in some cases, under state laws. The case was settled and a financial penalty of $28,000 was paid.
