3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. OCR imposed a civil monetary penalty of $100,000. Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. 200 Independence Avenue, S.W. Private Practice Revises Process to Provide Access to Records The HIPAA Right of Access violation was settled with OCR for $70,000. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. For example, texting or calling a coworker to ask about a shared patient's case would be a HIPAA violation. Read More, Steven A. Porter, M.D.s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients ePHI until a bill was paid. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. Issue: Impermissible Disclosure. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. OCR intervened and the records were provided 8 months after the initial request. An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. Talking about a patient in a public area where others can hear you is a HIPAA violation. Memorial Hermann Health System has agreed to pay OCR $2,400,000. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. Issue: Access. Issue: Access. OCR issued a written analysis and a demand for compliance. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. 2021 HIPAA Right of Access Enforcement Actions Other 2021 HIPAA Violation Penalties OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients ePHI. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. National Pharmacy Chain Extends Protections for PHI on Insurance Cards In nursing education, a HIPAA violation made by a nursing student could result in a variety of disciplinary actions including termination but is rarely discussed in nursing literature. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. OCR settled the case for $20,000. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Read More, Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. But violations are also quite serious. Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books The hospital also trained relevant staff members on the new procedures. The office informed all its employees of the incident and counseled staff on proper faxing procedures. A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. District of Ohio dismissed her case. > For Professionals Reports can be filed either through internal channels or electronically through the Department of Health and Human Services. A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. It took 564 days from the initial request for all of the records to be provided to the patient. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. Employees also were trained to review registration information for patient contact directives regarding leaving messages. Covered Entity: Health Care Provider / General Hospital Covered Entity: General Hospitals Read More, Coastal Ear, Nose, and Throat in Florida received a request from a patient for a copy of medical records on December 15, 2020, and again on January 8, 2021, but the records were not provided until May 20, 2021. The HIPAA Right of Access violation was settled with OCR for $5,000. Receive weekly HIPAA news directly via email, HIPAA News A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the systems organized health care arrangement impermissibly accessed the medical records of her ex-husband. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. Pharmacy Chain Revises Process for Disclosures to Law Enforcement The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance. 3. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. The failure to cooperate with the investigation and respond to an administrative subpoena resulted in a civil monetary penalty of $50,000. To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Departments patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations. The case was settled for $6,850,000. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. OCR determined there had been a risk analysis failure and the case was settled for $100,000. HIPAA Violations: Nurse Looked At Her Mother's, Sister's Charts, Termination Upheld. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center. The table above will be updated when the new penalty amounts for 2023 are finalized by the HHS. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. The chain acknowledged that log books contained protected health information and implemented the required changes. Read more, Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. Mental Health Center Provides Access and Revises Policies and Procedures Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from workers compensation carriers before submitting test results to them. Cancel Any Time. A settlement was agreed upon with OCR that included a $25,000 penalty. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. Covered Entity: Private Practice Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Serious violations, even if the intent is not malicious, are likely to result in disciplinary action. Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. HIPAA Journal states that if a nurse violates HIPAA, it is important that the incident is reported to the person responsible for HIPAA compliance in your facility or your supervisor. Covered Entity: Pharmacies OCR settled the case for $30,000. During OCRs investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR also found the Notice of Privacy Practices to be inadequate. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record. Gossip is a casual conversation about other people which can be positive, neutral, or negative. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. Covered Entity: Health Plans Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. Issue: Impermissible Uses and Disclosures; Safeguards. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. It did not change the maximum penalty for a violation, which means that the maximum penalty for a tier 1 violation is higher than the annual penalty cap, but for as long as the notice of enforcement discretion is in effect, the maximum penalty per year applies. Dr. Glazer did not cooperate with OCR during the investigation, resulting in OCR imposing a civil monetary penalty of $100,000 for the HIPAA Right of Access violation. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. Issue: Minimum Necessary; Confidential Communications. Nurses may violate HIPAA if they use non-approved channels to transmit patient information. A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000. The HIPAA Right of Access violation was settled with OCR for $30,000. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. 6) Keep Thoughts to Yourself. The HIPAA Right of Access violation was settled with OR for $75,000. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Read More, OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employees access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients ePHI. HMORevises Process to Obtain Valid Authorizations Read More, The Department of Health and Human Services Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. Covered Entity: Health Plans / HMOs The records were provided on September 14, 2020. The case was settled for $850,000. Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. The case was settled for $160,000. The case was settled with OCR and a 23,000 financial penalty was imposed. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Read More, Bayfront Health St. Petersburg was investigated following receipt of a complaint from a patient on August 14, 2018. Issue: Impermissible Uses and Disclosures. OCR settled the case for $3,500. There may be a viable claim, in some cases, under state laws. Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. Some of these were accidental. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. All staff was trained on the revised procedures. Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash.