nurse hipaa violation cases

Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have a need to know., Private Practice Ceases Conditioning of Compliance with the Privacy Rule Read More, On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. OCR also discovered a business associate failure. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. Issue: Notice. Penalties for "willful neglect" violations can range from . Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. PHI had been intentionally provided to the media on three separate occasions. HHS Private Practice Implements Safeguards for Waiting Rooms Read More, Memorial Hermann Health System in Texas received five requests from a patient for complete records to be provided between June 2019 and January 2020. This is the second-largest settlement amount agreed with OCR. However, as violations of HIPAA are so severe, then CEs will choose to terminate the . Therefore, it . Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. National Pharmacy Chain Extends Protections for PHI on Insurance Cards OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. However, the patient was not covered by workers compensation and had not identified workers compensation as responsible for payment. During OCRs investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. Read More, A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. Read More. Read More, Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. However, the court also legitimized private cause for action in HIPAA lawsuits, which could set a precedent for HIPAA related legal action. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. Issue: Impermissible Uses and Disclosures; Authorizations. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. Read More, Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. Issue: Impermissible Disclosure. A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. Issue: Impermissible Use and Disclosure, A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations. Read More, Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. In fact, even a competent healthcare facility will experience minor HIPAA violation cases at some point. A contested hearing took place, and the board found the nurse: Receive weekly HIPAA news directly via email, HIPAA News Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. Cancel Any Time. Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. This will have long-lasting ramifications. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. Nurses may violate HIPAA if they use non-approved channels to transmit patient information. The. All rights reserved. OCR determined that there had been an impermissible disclosure of 34,883 patients ePHI due to a lack of encryption. The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. Read More, Steven A. Porter, M.D.s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients ePHI until a bill was paid. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. 2021 HIPAA Right of Access Enforcement Actions Other 2021 HIPAA Violation Penalties The case was settled with OCR for $300,640. OCR settled the case for $30,000. Read More, An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. The records were provided on September 14, 2020. Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center. Read More, The Californian general dental practice, New Vision Dental, was investigated by OCR following reports about impermissible disclosures of patients protected health information on the review platform Yelp. A state health sciences center disclosed protected health information to a complainant's employer without authorization. Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. U.S. Department of Health & Human Services A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law's boyfriend was diagnosed with an STD. Read More, Wise Psychiatry is a small provider of psychiatric services in Colorado. HIPAA requires nurses and other health care professionals to report any violations they witness, even if they recognize it was accidental. The cost of employer HIPAA violations in the supreme court ranges from $100 to $50,000 based on a variety of factors, including: Whether or not there was malicious intent (civil vs. criminal penalties) The degree of negligence If a doctor violates HIPAA, including inadvertent disclosure If a breach occurred Issue: Safeguards, Minimum Necessary. HIPAA calls for civil fines up to $25,000 per violation to be paid by the employer, and criminal fines up to $250,000 to be paid by the employer and/or the individual. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Copyright 2014-2023 HIPAA Journal. The HIPAA Right of Access violation was settled with OCR for $30,000. A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from workers compensation carriers before submitting test results to them. One of the most common HIPAA violations is a result of lost company devices. OCR determined its compliance program had been in disarray for several years. Read More, The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. The paperwork was taken by a member of the public who sold the material to a recycling facility. Examples of HIPAA Violations by Nurses HIPAA Violations: Nurse Looked At Her Mother's, Sister's Charts, Termination Upheld. Covered Entity: Private Practice In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. The penalties for HIPAA violations through the OCR are as follows: Tier 1: Minimum fine of $100 per violation, up to $50,000 Tier 2: Minimum fine of $1,000 per violation, up to $50,000 Tier 3: Minimum fine of $10,000 per violation, up to $50,000 Tier 4: Minimum fine of $50,000 per violation St. Joseph Health has agreed to pay OCR $2,140,500. Covered Entity: Private Practices Read More. the practice settled the case with OCR for $80,000. To sign up for updates or to access your subscriber preferences, please enter your contact information below. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. The medical center had also failed to enter into a BAA with a business associate. The HIPAA Right of Access violation was settled with OCR for $70,000. If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. The investigation also indicated that the disclosures did not meet the Rules de-identification standard and therefore were not permissible without the individuals authorization. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. The HIPAA Right of Access violation was settled with OCR for $65,000. Issue: Safeguards; Impermissible Uses and Disclosures. Now add up that time for a week, a month, or even a year. OCR discovered a risk analysis failure, the lack of a security awareness training program, and a failure to implement HIPAA Security Rule policies and procedures. For example, texting or calling a coworker to ask about a shared patient's case would be a HIPAA violation. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII. Jail Nursing: No Deliberate Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. Not necessary. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash. OCR determined this fee to be unreasonable and that there had been a 15-month delay in providing the patient with the requested records. Read more, The Diabetes, Endocrinology & Lipidology Center, Inc, a West Virginia-based healthcare provider specializing in treating endocrine disorders, failed to provide a parent with a copy of her minor childs protected health information within 30 days. Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Covered Entity: Health Care Provider Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Issue: Access. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. The case was settled for $200,000. The containers had labels that included the PHI of patients. On Tuesday, the Department of Justice said Jeffrey Parker of Rincon . Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of "HIPAA . Among other corrective actions to resolve the specific issues in the case, OCR required the outpatient facility to: revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retrain its entire staff on the new policies and procedures; log the disclosure of the patient's PHI for accounting purposes; and send the patient a letter apologizing for the impermissible disclosure. Read More, Bayfront Health St. Petersburg was investigated following receipt of a complaint from a patient on August 14, 2018. > For Professionals An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. Activities considered preparatory to research include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. The HIPAA Right of Access violation was settled with OCR for $5,000. 6) Keep Thoughts to Yourself. A case study involving one nursing education program's experience with a Health Insurance Portability and Accountability Act (HIPAA) violation is used to illustrate how one nursing. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. The disclosed information included details of patients visits, treatment, and insurance. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. Paige. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. To resolve this matter, the covered entity refunded the $100.00 records review fee., Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More, Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. OCR provided technical assistance but received another complaint from the same patient that the records had still not been provided. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. The case was settled for $65,000. In addition, the employee who made the disclosure was counseled and given a written warning. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. The case was settled for $3,500. The ePHI of 62,500 patients was exposed. Read More, Medical Informatics Engineering, an Indiana-based provider of electronic medical record software and services, experienced amajor data breachin 2015 at its NoMoreClipboard subsidiary. Fresenius Medical Care North America settled the case for $3,500,000. The case was settled for $2,300,000. > HIPAA Home A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Read More, OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. The case was settled for $10,000. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. renewals of licenses or APRN authorizations, or both. Read More, Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services Office for Civil Rights for $2.4 million. Issue: Impermissible Uses and Disclosures. Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. One addressed the issue of minimum necessary information in telephone message content. Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Read more, Rainrock Treatment Center LLC (dba Monte Nido Rainrock), a Eugene, OR-based provider of residential eating disorder treatment services, failed to provide a patient with timely access to the requested medical records after repeated requests. Therefore you should assess employees security awareness as part of a risk analysis to see if more training is required. Read more, Dr. Robert Glaser, a New Hyde Park, NY-based cardiovascular disease and internal medicine doctor, failed to provide a patient with timely access to the requested medical records after repeated requests. The case was settled and a financial penalty of $28,000 was paid. Private Practice Provides Access to All Records, Regardless of Source Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. Regulatory Changes The financial penalties imposed by OCR in 2020 for HIPAA Right of Access violations ranged from $15,000 to $160,000 and stemmed from refusals to provide copies of records or long delays. Read More, Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. . The case was ultimately unsuccessful; the court ruled in favor of the nurse. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Covered Entity: Private Practice The nurse sent six text messages, warning the man's girlfriend about the disease. After OCR notified the entity of the allegation, the entity released the complainants medical records but also billed him $100.00 for a records review fee as well as an administrative fee. The office informed all its employees of the incident and counseled staff on proper faxing procedures. Physician Revises Faxing Procedures to Safeguard PHI OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient. There are two key events to consider when looking at the timeline of penalties for HIPAA violations the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault. In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. 4) Loss or Theft of Devices. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. Some of these were accidental. The practice trained all staff on the newly developed policies and procedures. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rules standard for such actions. Issue: Access. OCR settled the case for $55,000. Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment