Over the past 12 months, the style and severity of threats have continuously evolved. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Pharmacy Chain Revises Process for Disclosures to Law Enforcement Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. Read More, After the permanent closure of the company, paperwork containing former patients PHI was discarded by FileFax. When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. Massachusetts General Hospital agreed to settle the alleged HIPAA violations with OCR for $515,000. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. Issue: Access. A digital photocopier was returned to a leasing company, but the PHI stored on its hard drive had not been erased before the device was returned. Regulatory Changes The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. Covered Entity: Health Care Provider Case Examples. The HIPAA Right of Access violation was settled with OCR for $30,000. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. Covered Entity: Private Practices Covered Entity: Outpatient Facility The pharmacy did not consider the customer's insurance card to be protected health information (PHI). OCR determined this breached the HIPAA Right of Access provision of the HIPAA Privacy Rule. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. CHCS will also pay a financial penalty of $650,000. State Hospital Sanctions Employees for Disclosing Patient's PHI HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000. A settlement of $1,700,000 has been agreed upon with OCR to resolve the HIPAA violations that contributed to the cause of the breach. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. Read more, Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. If an offense is committed under false pretenses, the criminal penalties increase to a maximum . When you're discussing a patient's information on the phone, you need to be in a private place where others can't hear you. Read More, Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). This was OCRs first settlement under the 2019 HIPAA Right of Access enforcement initiative. In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. To resolve this matter, the covered entity refunded the $100.00 records review fee., Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety Even posts that seem well-meaning can violate privacy and confidentiality. The case was settled for $70,000. I personally would not expect a student to fully understand these things; correction and education would be in order rather than exaggerating the offenses to the level of HIPAA violation. Read More, Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. The HIPAA Right of Access violation was settled with OCR for $32,150. In 2012 it suffered a security breach that exposed the data of 2,700 individuals as a result of a malware infection. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. Comments and replies to someone else's post, chat room gossip (even if it's a private room) or leaving a review on a site like Yelp opens the door for potential HIPAA violations. An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. The first bar in the group of three per year represents the complaints closed in which there was no violation, the second in which there was corrective action, and the third reflects the total closures. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. OCR settled the case for $3,500. Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? Read More, Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. The case was settled for $1,040,000. HIPAA Fails Kim Kardashian In 2013, medical employees decided to "Keep Up With The Kardashians," and it cost them their jobs. A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. In response, the hospital instituted a number of actions to achieve compliance with the Privacy Rule. HIPAA violations don't just occur when a nurse posts something of their own accord. The maximum penalty for a single breach is $1.5 million per year. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. > For Professionals OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Hackers used a compromised username and password to gain access to a server that contained the protected health information (PHI) of 3.5 million individuals. "HIPAA applies to schools.". CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. A violation of HIPAA attributable to ignorance can attract a fine of $100 $50,000. OCRs investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. In order to resolve this matter to OCRs satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioners access to its electronic records system; reported the nurse practitioners conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. Issue: Safeguards; Impermissible Uses and Disclosures.