These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability. The case was settled for $62,500. Issue: Impermissible Disclosure-Research. Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. A study found that the average person spends about 52 minutes per day engaging in this type of conversation. It took 5 months from the initial request for the complete set of medical records to be provided. OCR issued a written analysis and a demand for compliance. Regulatory Changes OCR received a complaint from a patient alleging BILHBS had not provided a copy of her fathers medical records. By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient. Scott Harris and the rest of our team at S J Harris Law will be ready to help you pursue any option available that allows you to keep your license and continue working, no matter what industry you are in. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rules standard for such actions. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. Clinic Sanctions Supervisor for Accessing Employee Medical Record The claim included the patients test results. Issue: Safeguards. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. 200 Independence Avenue, S.W. Convicted of a crime substantially related to the qualifications, functions, and duties of an RN: Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. Read More, Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. > HIPAA Compliance and Enforcement The Top 8 Most Common HIPAA Violations Made by Nurses Read More, Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. Some of these were accidental. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Copyright 2014-2023 HIPAA Journal. The man sued the clinic, even though it had already dismissed the nurse from her job. Issue: Access. OCR settled the case for $55,000. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Read More, A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? Social media use and ethics violations: Nurses' responses to Read More, Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. Read More, The Department of Health and Human Services Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena 1. Case Examples by Issue. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Issue: Impermissible Disclosure. Covered Entity: Private Practices The case was settled for $1,500,000. To sign up for updates or to access your subscriber preferences, please enter your contact information below. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. The case was settled for $850,000. OCRs investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. HIPAA violations don't just occur when a nurse posts something of their own accord. OCRs investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospitals OR schedule contained information about the complainants upcoming surgery. In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. Read More, Steven A. Porter, M.D.s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients ePHI until a bill was paid. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Issue: Impermissible Uses and Disclosures. The acknowledgement form is now included in the intake package of forms. 2021 HIPAA Right of Access Enforcement Actions Other 2021 HIPAA Violation Penalties A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. There may be a viable claim, in some cases, under state privacy laws. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. Issue: Impermissible Uses and Disclosures. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. 2020-2021 HIPAA Violation Cases and Penalties - HIPAA Journal HIPAA calls for civil fines up to $25,000 per violation to be paid by the employer, and criminal fines up to $250,000 to be paid by the employer and/or the individual. The patient had requested a copy of her childs fetal heart monitor records, but 9 months after the request had been submitted the records still had not been provided. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. However, up to 500 cases per year result in a fine and/or corrective action being required. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law's boyfriend was diagnosed with an STD. Top 5 FERPA & HIPAA Misconceptions for Schools - Frontline Education The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. jQuery( document ).ready(function($) { Issue: Minimum Necessary; Confidential Communications. The case was settled for $38,000. Since HIPAA's enactment in 1996, we've witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. The office informed all its employees of the incident and counseled staff on proper faxing procedures. Read More, Hillcrest Nursing and Rehabilitation in Massachusetts received a request from a parent for her sons medical records onMarch 22, 2020, but the records were not provided until October 10, 2020. OCR investigated and discovered similar privacy violations had occurred responding to patient reviews. Covered Entity: Health Care Provider When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. RN breaches patient confidentiality policy to check work schedule Issue: Impermissible Use and Disclosure, A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. CHCS will also pay a financial penalty of $650,000. Gossip is a casual conversation about other people which can be positive, neutral, or negative. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. Numbers at a Glance - Current | HHS.gov All Case Examples | HHS.gov Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. A mother requested a copy of her sons medical records, but the records had not been provided three months after submitting the request. The directory contained files that included the protected health information (PHI) of 307,839 individuals. > All Case Examples, Hospital Implements New Minimum Necessary Polices for Telephone Messages OCR has increased its enforcement activities in recent years. What happens if a nurse violates HIPAA? - HIPAA Guide In response, the hospital instituted a number of actions to achieve compliance with the Privacy Rule. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Examples of HIPAA Violations by Nurses - HIPAA Coach