The Board can report disciplinary actions to other agencies that oversee nursing licenses. HIPAA Violations: Nurse Looked At Her Mother's, Sister's Charts, Termination Upheld. The PHI of 58,106 patients was improperly disposed of during that timeframe. Delivered via email so please ensure you enter your email address correctly. The HIPAA Right of Access violation was settled with OCR for $65,000. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. Read More. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. If an organization fails to take corrective action after having been issued a fine, the HHS Office of Civil Rights can impose subsequent fines. Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. Pharmacy Chain Enters into Business Associate Agreement with Law Firm HITECH News The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Read More, Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. Another potential HIPAA violation that's easily overlooked is discussing information over the phone. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. Mental Health Center Corrects Process for Providing Notice of Privacy Practices OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Covered Entity: General Hospital Fresenius Medical Care North America settled the case for $3,500,000. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. However, up to 500 cases per year result in a fine and/or corrective action being required. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. > All Case Examples, Hospital Implements New Minimum Necessary Polices for Telephone Messages All Case Examples. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. OCR also identified issues with the notice of privacy practices and there was no HIPAA privacy officer. The case was settled for $200,000. Among other corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. Regulatory Changes Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. The case was settled for $25,000. Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. Covered Entity: Private Practices Office for Civil Rights Headquarters. Covered Entity: Health Plans A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. Covered Entity: Private Practice HIPAA violations don't just occur when a nurse posts something of their own accord. 6) Keep Thoughts to Yourself. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). Covered Entity: Pharmacies However, as violations of HIPAA are so severe, then CEs will choose to terminate the . HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. > HIPAA Home Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. OCR issued a written analysis and a demand for compliance. Issue: Access. MAPFRE has agreed to a $2,200,000 settlement with OCR. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rules standard for such actions. Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. The Notice of Enforcement Discretion only applied a cap to each violation tier. HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000. Not necessary. The hospital disciplined and retrained the employee who made the impermissible disclosure. Read More, The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients protected health information on the review platform Yelp. The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. Read More, OCR received a complaint from a patient of California-based Riverside Psychiatric Medical Group in March 2019 alleging he had not been provided with a copy of his medical records. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . Issue: Impermissible Disclosure. Further information on the penalties for HIPAA violations are detailed here. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. Convicted of a crime substantially related to the qualifications, functions, and duties of an RN: The case was settled for $10,000. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. Resolution Agreements. Issue: Impermissible Uses and Disclosures; Authorizations. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Read more, Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. The case was settled for $15,000. Issue: Minimum Necessary; Confidential Communications. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. The HIPAA Right of Access violation was settled with OCR for $160,000. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Your Privacy Respected Please see HIPAA Journal privacy policy. The maximum penalty for a single breach is $1.5 million per year. It took 8 months from the date of the first request for the records to be provided. Issue: Impermissible Uses and Disclosures. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients ePHI. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. Private Practice Implements Safeguards for Waiting Rooms Violations related to HIPAA laws have serious consequences, including job loss and other penalties. An organizations prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations and therefore a second or subsequent fine will likely be much larger than the first. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Mental Health Center Provides Access after Denial Employees also were trained to review registration information for patient contact directives regarding leaving messages. HIPAA requires nurses and other health care professionals to report any violations they witness, even if they recognize it was accidental. Read More, OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. Read More, OCR imposed a $2.154 million civil monetary penalty against the Miami, FL-based nonprofit academic medical system, Jackson Health System (JHS), for a slew of violations of HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. Case Examples by Covered Entity. Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash. A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. HIPAA violation penalties are tiered based on the level of negligence determined by the Department of Health and Human Services or the state attorney general. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. OCR settled the case for $240,000. U.S. Department of Health & Human Services 200 Independence Avenue, S.W. At minimum, the nurse who violated HIPAA will probably have to go on a training course to prevent further violations. jQuery( document ).ready(function($) { OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. OCR discovered risk analysis failures, risk management failures, a failure toconduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. The case was settled for $62,500. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. OCR settled the case for $3,500. HIPAA violations are not uncommon. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions The HIPAA Right of Access violation was settled with OCR for $5,000. Read More, WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. Covered Entity: Health Care Provider / General Hospital A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. Clinic Sanctions Supervisor for Accessing Employee Medical Record The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. Pharmacy Chain Revises Process for Disclosures to Law Enforcement A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. Gossip is a casual conversation about other people which can be positive, neutral, or negative. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Washington, D.C. 20201 Toll Free Call Center: 1-800-368-1019 Health Specialists of Central Florida Inc. settled the case with OCR and paid a $20,000 penalty. Issue: Impermissible Uses and Disclosures. In nursing education, a HIPAA violation made by a nursing student could result in a variety of disciplinary actions including termination but is rarely discussed in nursing literature. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. By 2011, the UCLA Health System would agree to pay a fine of $865,000 to settle HIPAA privacy violations at its three hospitals. OCR investigated and found multiple violations of the HIPAA Rules including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. Now add up that time for a week, a month, or even a year. Read more, Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. The impermissible disclosures of PHI resulted in a $10,000 settlement. Dentist Revises Process to Safeguard Medical Alert PHI Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Read More, Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. The claim included the patients test results. Issue: Access, Restrictions. Read More, The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. the practice settled the case with OCR for $80,000. Read More, Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the centers employees. Read More, King MD is a small provider of psychiatric services in Virginia. OCR received a complaint from a patient who had not been provided with a copy of his medical records. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. Unprotected storage of private health information can be an issue. Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees