OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. Covered Entity: General Hospital The acknowledgement form is now included in the intake package of forms. Covered Entity: Private Practices The medical center had also failed to enter into a BAA with a business associate. Covered Entity: Health Plans Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. That's almost an hour devoted to talking about someone else. National Pharmacy Chain Extends Protections for PHI on Insurance Cards Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. OCRs investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospitals OR schedule contained information about the complainants upcoming surgery. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law's boyfriend was diagnosed with an STD. Read More, Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. However, the court also legitimized private cause for action in HIPAA lawsuits, which could set a precedent for HIPAA related legal action. This was the case in 2019, when a number of healthcare professionals accessed a particular actor's medical records after the actor was part of a potential hoax hate-crime, which became headline news. The directory contained files that included the protected health information (PHI) of 307,839 individuals. ACMHS has agreed to settle the case with OCR for $150,000. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. HIPAA violations are not uncommon. Technical assistance had previously been provided by OCR, but devices had still not been encrypted. OCR also discovered a business associate failure. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. The case was settled for $100,000. MAPFRE has agreed to a $2,200,000 settlement with OCR. Covered Entity: Private Practice The case was settled for $10,000. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. Read More, Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. And when data breaches like this occur, it's usually because of a HIPAA violation. Covered Entity: Private Practice The trial court noted that HIPAA does not create a private right of action, but instead requires that violations be pursued via administrative channels (ie: by filing a complaint with HHS). If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. So-mogye v. Toledo Clinic, 2012 WL 2191279 (N.D. Ohio, June 14, 2012). Issue: Access. OCR has increased its enforcement activities in recent years. September 05, 2017 - A Kentucky hospital was found to have acted lawfully when it fired a nurse for committing a HIPAA violation, according to the Kentucky Court of Appeals. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. Issue: Access, A patient alleged that a covered entity failed to provide him access to his medical records. Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. Issue: Access. 0:04. Receive weekly HIPAA news directly via email, HIPAA News The ePHI of 62,500 patients was exposed. Read More, The Department of Health and Human Services Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Issue: Safeguards, Minimum Necessary. HIPAA Advice, Email Never Shared Reports can be filed either through internal channels or electronically through the Department of Health and Human Services. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Not necessary. In more servers cases, or where multiple violations have occurred, the nurse may lose their job. OCR settled the case for $50,000. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The case was settled for $25,000. Lincare Inc. is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. To sign up for updates or to access your subscriber preferences, please enter your contact information below. An organizations prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations and therefore a second or subsequent fine will likely be much larger than the first. The case was settled for $202,400. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. The case was settled for $5,100,000. The device contained a range of patients ePHI, including full names, Social Security numbers, and dates of birth. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. OCR settled the case for $3,500. Read More, Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. OCR settled the case for $20,000. The case was settled for $3 million. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. Case Examples by Covered Entity. The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. Issue: Conditioning Compliance with the Privacy Rule. Covered Entity: Pharmacy Chain A mother requested a copy of her sons medical records, but the records had not been provided three months after submitting the request. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology. State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Departments patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. Issue: Impermissible Disclosure-Research. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. Read More, Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. The patient had requested a copy of her childs fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena A number of patients were filmed, but consent had not been obtained. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. HIPAA violations don't just occur when a nurse posts something of their own accord. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. According to the Massachusetts General Law, Chapter 112, Section 77, the Board must report disciplinary actions to national data reporting systems. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. Read More, OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. A complaint alleged that an HMO impermissibly disclosed a members PHI, when it sent her entire medical record to a disability insurance company without her authorization. Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. Criminal violations of HIPAA Rules are dealt with by the U.S. Department of Justice. Issue: Access. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance. Read More, New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between February 4, 2011, and March 31, 2021. Issue: Safeguards; Impermissible Uses and Disclosures. }); Show Your Employer You Have Completed The Best HIPAA Compliance Training Available With ComplianceJunctions Certificate Of Completion, Learn about the top 10 HIPAA violations and the best way to prevent them, Avoid HIPAA violations due to misuse of social media, Losses to Phishing Attacks Increased by 76% in 2022, Biden Administration Announces New National Cybersecurity Strategy, Settlement Reached in Preferred Home Care Data Breach Lawsuit, BetterHelp Settlement Agreed with FTC to Resolve Health Data Privacy Violations, Amazon Completes Acquisition of OneMedical Amid Concern About Uses of Patient Data, Willful neglect (not corrected within 30 days. OCR imposed a civil monetary penalty of $100,000. 4) Loss or Theft of Devices. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. Read More, Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. Read More, Elite Primary Care is a provider of primary health services in Georgia. Mental Health Center Provides Access after Denial Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. Read More, Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. The minimum fine is $100 per violation (up to $50,000) for Category 1 violations. The impermissible disclosures of PHI resulted in a $10,000 settlement. An Accusation is a legal document formally charging a registered nurse with a violation (s) of the Nursing Practice Act, and notifying the public that a disciplinary action is pending against that nurse. A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. Read More, The Department of Health and Human Services Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. OCR settled the case for $55,000. This discrepancy is expected to be addressed through further rulemaking to make the new penalty structure permanent. An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Read more, Ridgewood, NJ-based Village Plastic Surgeryfailed to provide a patient with timely access to the requested medical records. Toll Free Call Center: 1-800-368-1019 Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. Pharmacy Chain Revises Process for Disclosures to Law Enforcement A covered entitys obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patients silence. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. OCR received a complaint from a patient who had not been provided with a copy of his medical records. When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. By Jill McKeon. Clinic Sanctions Supervisor for Accessing Employee Medical Record A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. Regulatory Changes Below are details of 47 incidents since 2012 in which workers at nursing homes and assisted-living centers shared photos or videos of residents on social media networks. This will have long-lasting ramifications. The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. The investigation confirmed there had been a HIPAA Right of Access failure. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Other than stipulating training should be provided as necessary and appropriate for members of the workforce to carry out their functions (HIPAA Privacy Rule) and that CEs and BAs should implement a security awareness and training program for all members of the workforce (HIPAA Security Rule), there are no specific HIPAA training requirements. Issue: Access. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Centers obligation to provide the complainant with a copy of her records. The data breach exposed the Protected Health Information of 55,000 patients. Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes. The four categories range from unknowing violations to willful disregard of HIPAA rules. The. The case was settled with OCR and a 23,000 financial penalty was imposed. Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. OCR settled the case for $22,500. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patients home telephone number, despite the patients instructions to contact her through her work number. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. Covered Entity: Health Care Provider OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. Covered Entity: Health Care Provider The HIPAA Right of Access violation was settled with OR for $75,000. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 - $50,000. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); Read More, Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Serious violations, even if the intent is not malicious, are likely to result in disciplinary action. Covered Entity: Private Practice Failure to report a violation could have serious consequences. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Examples of HIPAA Violations by Nurses Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center. A complaint alleged that an HMO impermissibly disclosed a member's PHI, when it sent her entire medical record to a disability insurance company without her authorization. There are two key events to consider when looking at the timeline of penalties for HIPAA violations the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. OCR determined the failure to terminate access rights when employment had ended was in violation of the HIPAA Security Rule. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. The Board can report disciplinary actions to other agencies that oversee nursing licenses. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. The case was settled for $200,000. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. The chain acknowledged that log books contained protected health information and implemented the required changes. By 2011, the UCLA Health System would agree to pay a fine of $865,000 to settle HIPAA privacy violations at its three hospitals. The center also provided OCR with written assurance that all policy changes were brought to the attention of the staff involved in the daughters care and then disseminated to all staff affected by the policy change. Read More, The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients protected health information on the review platform Yelp. The case was settled for $36,000. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). Read More, The city of New Haven in Connecticut was investigated over an incident where a former employee accessed its systems after termination and copied a file containing the ePHI of 498 individuals. OCR received a complaint from a patient who alleged he had been denied access to his medical records. Read More, Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. Criminal HIPAA violations and penalties fall under three tiers: Tier 1: Deliberately obtaining and disclosing PHI without authorization up to one year in jail and a $50,000 fine Tier 2: Obtaining PHI under false pretenses up to five years in jail and a $100,000 fine OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule.
What Car Does Syd Burnett Drive,
Dock Slip For Sale Deep Creek Lake,
Our Lady Of Guadalupe Lindenwold Mass Schedule,
Articles N
nurse hipaa violation cases