nurse hipaa violation cases
Five Memphis healthcare workers charged with conspiracy, HIPAA violations. Physician Revises Faxing Procedures to Safeguard PHI Unprotected storage of private health information can be an issue. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. Read More, Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services Office for Civil Rights for $2.4 million. > All Case Examples, Hospital Implements New Minimum Necessary Polices for Telephone Messages Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. Read More, New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between February 4, 2011, and March 31, 2021. Covered Entity: Private Practices Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. All staff was trained on the revised procedures. OCR also identified issues with the notice of privacy practices and there was no HIPAA privacy officer. Covered Entity: Multi-Hospital Healthcare Provider Failure to report a violation could have serious consequences. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. State Hospital Sanctions Employees for Disclosing Patient's PHI Comments and replies to someone else's post, chat room gossip (even if it's a private room) or leaving a review on a site like Yelp opens the door for potential HIPAA violations. Read More, An OCR investigation into an impermissible disclosure of 9,255 individuals PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. Read more, Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. OCR settled the case for $55,000. The hospital also trained relevant staff members on the new procedures. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. The impermissible disclosures of PHI resulted in a $10,000 settlement. It did not change the maximum penalty for a violation, which means that the maximum penalty for a tier 1 violation is higher than the annual penalty cap, but for as long as the notice of enforcement discretion is in effect, the maximum penalty per year applies. Therefore, it . Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. Covered Entity: Health Care Provider Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. Memphis Commercial Appeal. The HIPAA Right of Access violation was settled with OCR for $160,000. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. MAPFRE has agreed to a $2,200,000 settlement with OCR. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. A complaint alleged that an HMO impermissibly disclosed a member's PHI, when it sent her entire medical record to a disability insurance company without her authorization. HIPAA violations are not uncommon. In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. Issue: Safeguards. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. Among other corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records. Further information on the penalties for HIPAA violations are detailed here. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. There may be a viable claim, in some cases, under state laws. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. The revised policy was implemented in the chains' stores nationwide. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. The case was ultimately unsuccessful; the court ruled in favor of the nurse. Content created by Office for Civil Rights (OCR) Content last reviewed December 23, 2022. Issue: Impermissible Uses and Disclosures. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. The consequences of violating HIPAA can be significant and it is important to note fines for a HIPAA violation can be applied by the HHS Office for Civil Rights (OCR) even if no breach of PHI has occurred. For example, texting or calling a coworker to ask about a shared patient's case would be a HIPAA violation. Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. Jail Nursing: No Deliberate Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. The settlement stems from an impermissible disclosure in a press release issued by MHHS in September 2015. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. Covered Entity: General Hospital Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. The hospital disciplined and retrained the employee who made the impermissible disclosure. U.S. Department of Health & Human Services When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. OCR received a complaint from a patient who alleged he had been denied access to his medical records. Covered Entity: Private Practice The center also provided OCR with written assurance that all policy changes were brought to the attention of the staff involved in the daughters care and then disseminated to all staff affected by the policy change. The case was settled for $100,000. Cancel Any Time. Therefore you should assess employees security awareness as part of a risk analysis to see if more training is required. OCR settled the case for $22,500. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Covered Entity: General Hospitals I personally would not expect a student to fully understand these things; correction and education would be in order rather than exaggerating the offenses to the level of HIPAA violation. Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Issue: Impermissible Uses and Disclosures. Even posts that seem well-meaning can violate privacy and confidentiality. Prison Time for Scheme to Frame Nurse for HIPAA Violations. The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. The data breach exposed the Protected Health Information of 55,000 patients. St. Lukes-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. The case was settled for $10,000. The medical center had also failed to enter into a BAA with a business associate. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. The device was not protected by a password and data on the device was not encrypted. Read More, Wise Psychiatry is a small provider of psychiatric services in Colorado. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. Over the past 12 months, the style and severity of threats have continuously evolved. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. Issue: Impermissible Use and Disclosure, A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. The device was not password-protected, and the personal information of over 20,000 patients wasn't encrypted. The local newspaper then featured on its front page the individuals x-ray and an article that included the date of the accident, the location of the accident, the patients gender, a description of patients medical condition, and numerous quotes from the hospital about such unusual sporting accidents. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider.