In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. Read More, Brigham and Womens Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. Paige. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. Violations related to HIPAA laws have serious consequences, including job loss and other penalties. Comments and replies to someone else's post, chat room gossip (even if it's a private room) or leaving a review on a site like Yelp opens the door for potential HIPAA violations. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The minimum fine is $100 per violation (up to $50,000) for Category 1 violations. Nurse Faced with Jail Time for Violating HIPAA Laws Without appropriate HIPAA training, this case of a HIPAA violation demonstrates how critical it is to train workers before there is an issue. Read More, OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. The HIPAA Right of Access violation was settled with OCR for $70,000. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. HIPAA requires nurses and other health care professionals to report any violations they witness, even if they recognize it was accidental. A state health sciences center disclosed protected health information to a complainant's employer without authorization. The case was settled for $65,000. Read More, Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Issue: Impermissible Use and Disclosure, A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. Read more, Childrens Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughters medical records but only provided part of the requested information, despite repeated requests. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. Issue: Impermissible Uses and Disclosures. A contested hearing took place, and the board found the nurse: Radiologist Revises Process for Workers Compensation Disclosures Back to Top Enforcement Highlights and Numbers at a Glance Current Enforcement Highlights Enforcement Highlights Archived by Month For example, any HIPAA form a patient signs needs to have a Right to Revoke clause. Therefore, it . Covered Entity: Health Care Provider / General Hospital The nurse sent six text messages, warning the man's girlfriend about the disease. A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. Read More, A patient of University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. Read more, San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patients medical records to a patient-specified third party for more than 2 months. The case was settled for $100,000. In response to OCRs investigation, the mental health center acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental health evaluation. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. The privacy breaches occurred shortly after each other in 2013. It took 564 days from the initial request for all of the records to be provided to the patient. Mental Health Center Corrects Process for Providing Notice of Privacy Practices Read more, Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. Private Practice Revises Process to Provide Access to Records Regardless of Payment Source Moreover, the entity was required to train of all staff on the revised policy. Read More, Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. The HIPAA Right of Access violation was settled with OCR for $65,000. Unprotected storage of private health information can be an issue. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. Read More, Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services Office for Civil Rights for $2.4 million. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. Penalties for "willful neglect" violations can range from . Issue: Minimum Necessary; Confidential Communications. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. HIPAA Fails Kim Kardashian In 2013, medical employees decided to "Keep Up With The Kardashians," and it cost them their jobs. Even though it is not done maliciously. OCR received a complaint from a patient who alleged he had been denied access to his medical records. In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. Read More, The Department of Health and Human Services Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. In addition, the covered entity forwarded the complainant a complete copy of the medical record. Talking about a patient in a public area where others can hear you is a HIPAA violation. All staff was trained on the revised procedures. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. The case was contested, but an administrative law judge ruled in favor of OCR. The case was settled for $200,000. Covered Entity: General Hospital Another potential HIPAA violation that's easily overlooked is discussing information over the phone. The details come from . Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. If an offense is committed under false pretenses, the criminal penalties increase to a maximum . Examples of HIPAA Violations by Nurses A case study involving one nursing education program's experience with a Health Insurance Portability and Accountability Act (HIPAA) violation is used to illustrate how one nursing. The cost of employer HIPAA violations in the supreme court ranges from $100 to $50,000 based on a variety of factors, including: Whether or not there was malicious intent (civil vs. criminal penalties) The degree of negligence If a doctor violates HIPAA, including inadvertent disclosure If a breach occurred OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. At minimum, the nurse who violated HIPAA will probably have to go on a training course to prevent further violations. OCR settled the case for $240,000. The case was settled for $15,000. Private Practice Revises Policies and Procedures Addressing Activities Preparatory to Research Delivered via email so please ensure you enter your email address correctly. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. Pharmacy Chain Enters into Business Associate Agreement with Law Firm Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees Activities considered preparatory to research include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Private Practice Revises Process to Provide Access to Records Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Centers obligation to provide the complainant with a copy of her records. It took 5 months from the initial request for the complete set of medical records to be provided. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Employees also were trained to review registration information for patient contact directives regarding leaving messages. A covered entitys obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patients silence. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. Case Examples. It took 225 days from the initial request for the records to be provided. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Read More, Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. In 2014, hackers accessed its systems and stole the ePHI of 6,121,158 individuals. In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. The Notice of Enforcement Discretion only applied a cap to each violation tier. This case study involving one nursing education program's experience with a HIPAA violation illustrates how one nursing college dealt with a student's HIPAA . OCRs investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. An Accusation is a legal document formally charging a registered nurse with a violation (s) of the Nursing Practice Act, and notifying the public that a disciplinary action is pending against that nurse. Read More, A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. Covered Entity: Private Practice Issue: Impermissible Uses and Disclosures. In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures. The HIPAA Right of Access violation was settled with OCR for $30,000. A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. A radiology practice that interpreted a hospital patients imaging tests submitted a workers compensation claim to the patients employer. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Covered Entity: Mental Health Center Criminal HIPAA violations and penalties fall under three tiers: Tier 1: Deliberately obtaining and disclosing PHI without authorization up to one year in jail and a $50,000 fine Tier 2: Obtaining PHI under false pretenses up to five years in jail and a $100,000 fine Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons This usually happens when a celebrity checks into the hospital, but that's not always the case. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Issue: Impermissible Uses and Disclosures; Business Associates. Covered Entity: Health Care Provider Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. The hospital also trained relevant staff members on the new procedures. Read More, Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. However, as violations of HIPAA are so severe, then CEs will choose to terminate the . The HIPAA Right of Access violation was settled with OR for $75,000. A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the systems organized health care arrangement impermissibly accessed the medical records of her ex-husband. The center also provided OCR with written assurance that all policy changes were brought to the attention of the staff involved in the daughters care and then disseminated to all staff affected by the policy change. Read More, King MD is a small provider of psychiatric services in Virginia. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). Covered Entity: Outpatient Facility The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. Read More, Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). The HIPAA Right of Access violation was settled with OCR for $10,000. When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. The case was settled for $36,000. The directory contained files that included the protected health information (PHI) of 307,839 individuals. OCR investigated and discovered similar privacy violations had occurred responding to patient reviews. 0:04. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. The four categories range from unknowing violations to willful disregard of HIPAA rules. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. Read More, Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. In fact, even a competent healthcare facility will experience minor HIPAA violation cases at some point. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Issue: Impermissible Uses and Disclosures; Authorizations. The ePHI of 62,500 patients was exposed. Covered Entity: Private Practices Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. The case was settled for $850,000. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customers PHI. Gossip is a casual conversation about other people which can be positive, neutral, or negative. So-mogye v. Toledo Clinic, 2012 WL 2191279 (N.D. Ohio, June 14, 2012). An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. Covered Entity: Pharmacies The case was settled for $2,300,000. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. Read More, Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. To resolve this matter, the covered entity refunded the $100.00 records review fee., Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. Covered Entity: General Hospital OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. Covered Entity: Health Plans / HMOs OCR also discovered a business associate failure. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Covered Entity: Health Plans Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. Covered Entity: Outpatient Facility Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals PHI. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. Large Health System Restricts Provider's Use of Patient Records Memorial Hermann Health System has agreed to pay OCR $2,400,000. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. A settlement of $85,000 was agreed upon to resolve the violation. Covered Entity: General Hospital OCR intervened and the records were provided 8 months after the initial request. The trial court noted that HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels (ie: by filing a complaint with HHS). Office for Civil Rights Headquarters. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. The device was not protected by a password and data on the device was not encrypted. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing civil monetary penalties imposed. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctors driveway while he was out of the house. To sign up for updates or to access your subscriber preferences, please enter your contact information below. However, the patient was not covered by workers compensation and had not identified workers compensation as responsible for payment. Issue: Notice. To resolve the issues in this case, the hospital developed and implemented several new procedures. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. The case was settled for $1,000,000. Some cases also can result in imprisonment up to one year for a standard violation and imprisonment for up to five years for a violation committed under false pretenses. Even posts that seem well-meaning can violate privacy and confidentiality. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. CHCS will also pay a financial penalty of $650,000. OCR settled the case for $30,000. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. An organizations willingness to assist with an investigation is also taken into account. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. The Board can report disciplinary actions to other agencies that oversee nursing licenses. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center.