nurse hipaa violation cases

In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR scheduled with the complainants supervisor, who was not part of the employee's treatment team, and did not need the information for payment, health care operations, or other permissible purposes. After OCR notified the entity of the allegation, the entity released the complainants medical records but also billed him $100.00 for a records review fee as well as an administrative fee. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. Read More, Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Covered Entity: Private Practice A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. U.S. Department of Health & Human Services We've aggregated the ultimate list of reported celebrity HIPAA violations. Issue: Impermissible Uses and Disclosures; Authorizations. The consequences of violating HIPAA can be significant and it is important to note fines for a HIPAA violation can be applied by the HHS Office for Civil Rights (OCR) even if no breach of PHI has occurred. Issue: Access, Restrictions. When state laws are violated, the individuals whose ePHI has been compromised may be able to take legal action against the breached entity if it can be proven that an individual has suffered harm due to the negligence of a Covered Entity or Business Associate. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. The case was settled for $62,500. Detailed below is a summary of all HIPAA violation cases that have resulted in settlements with the Department of Health and Human Services Office for Civil Rights (OCR), including cases that have been pursued by OCR after potential HIPAA violations were discovered during data breach investigations, and investigations of complaints submitted by patients and healthcare employees. OCR also found the Notice of Privacy Practices to be inadequate. At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. Read More. The directory contained files that included the protected health information (PHI) of 307,839 individuals. OCR found that the owner of the practice had responded to several reviews and disclosed ePHI, even disclosing the names of patients in the responses who had chosen to post reviews anonymously. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the records had still not been provided. An ABC crew was permitted to film inside NYP facilities for the show NY Med featuring Dr. Mehmet Oz. So-mogye v. Toledo Clinic, 2012 WL 2191279 (N.D. Ohio, June 14, 2012). Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. Read More, OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. On Tuesday, the Department of Justice said Jeffrey Parker of Rincon . Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The case was settled for $10,000. Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. The HIPAA Right of Access violation was settled with OCR for $65,000. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. OCR required the covered entity to cease using the patient agreement that conditioned the entitys compliance with the Privacy Rule. All staff was trained on the revised procedures. Issue: Safeguards, Minimum Necessary. It took 8 months from the date of the first request for the records to be provided. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. The case was settled for $2,300,000. Talking about a patient in a public area where others can hear you is a HIPAA violation. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. Read More, Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. The case was settled with OCR for $300,640. Fresenius Medical Care North America settled the case for $3,500,000. A violation of HIPAA attributable to ignorance can attract a fine of $100 $50,000. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctors driveway while he was out of the house. Issue: Access, Authorization. Washington, D.C. 20201 Toll Free Call Center: 1-800-368-1019 In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. Read more, Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patients attorney with a copy of her medical and billing records within 30 days. It took 564 days from the initial request for all of the records to be provided to the patient. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. HITECH News 0:57. The man sued the clinic, even though it had already dismissed the nurse from her job. A settlement of $85,000 was agreed upon with OCR to resolve the HIPAA violation. It took 5 months from the initial request for the complete set of medical records to be provided. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. The case was settled with OCR for $25,000. Issue: Impermissible Uses and Disclosures; Safeguards. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. Shaila Mae. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. Read More, Elite Primary Care is a provider of primary health services in Georgia. The practice trained all staff on the newly developed policies and procedures. Read More, New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between February 4, 2011, and March 31, 2021. Prison Time for Scheme to Frame Nurse for HIPAA Violations. Read More. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. The maximum penalty for a single breach is $1.5 million per year. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Departments patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations. The HIPAA Right of Access violation was settled with OCR for $5,000. Since HIPAA's enactment in 1996, we've witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. Read more, In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. Issue: Safeguards. Read More, Beth Israel Lahey Health Behavioral Services (BILHBS) is the largest provider of mental health and substance use disorder services in eastern Massachusetts. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . By 2011, the UCLA Health System would agree to pay a fine of $865,000 to settle HIPAA privacy violations at its three hospitals. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. The last update to the HIPAA violation penalty amounts applies to cases assessed on or after March 17, 2022, as detailed in the table below: *Table last updated in March 2022. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. The case was settled for $1,000,000. The case was settled for $25,000. District of Ohio dismissed her case. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. A case study involving one nursing education program's experience with a Health Insurance Portability and Accountability Act (HIPAA) violation is used to illustrate how one nursing. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. North Memorial has agreed to pay $1,550,000 to OCR to settle the HIPAA violation charges. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. Scott Harris and the rest of our team at S J Harris Law will be ready to help you pursue any option available that allows you to keep your license and continue working, no matter what industry you are in. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. This will have long-lasting ramifications. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have a need to know., Private Practice Ceases Conditioning of Compliance with the Privacy Rule Read More, Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. Read More, King MD is a small provider of psychiatric services in Virginia. Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. The HIPAA Right of Access violation was settled with OCR for $70,000. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. The HIPAA Right of Access violation was settled with OCR for $30,000. Issue: Impermissible Disclosure; Confidential Communications. If an organization fails to take corrective action after having been issued a fine, the HHS Office of Civil Rights can impose subsequent fines. Covered Entity: General Hospital The case was ultimately unsuccessful; the court ruled in favor of the nurse. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. OCR settled the case for $50,000. jQuery( document ).ready(function($) { Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. In April 2019, OCR reexamined the HITECH Act and determined the language had been misinterpreted and issued a Notice of Enforcement Discretion stating the maximum annual penalties in each penalty tier would be changed to reflect the seriousness of the violations. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Covered Entity: Private Practice Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of "HIPAA . Large Health System Restricts Provider's Use of Patient Records The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. The records were provided on September 14, 2020. There may be a viable claim, in some cases, under state privacy laws. Over the past 12 months, the style and severity of threats have continuously evolved. Covered Entity: Pharmacies State Hospital Sanctions Employees for Disclosing Patient's PHI St. Joseph Health has agreed to pay OCR $2,140,500. Providence Health & Services. Issue: Impermissible Uses and Disclosures. Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. Issue: Impermissible Uses and Disclosures. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. HHS OCR settled the case for $30,000. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Covered Entity: Health Plans Clinic Sanctions Supervisor for Accessing Employee Medical Record OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. The case was settled for $160,000. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. OCR determined its compliance program had been in disarray for several years. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. This was the case in 2019, when a number of healthcare professionals accessed a particular actor's medical records after the actor was part of a potential hoax hate-crime, which became headline news. The case was settled for $3 million. Covered Entity: Pharmacy Chain There are four different HIPAA violation classifications which rank the level of an organizations willful neglect, and four penalty tiers depending on factors such as the length of time a violation was allowed to continue after being discovered, the number of people affected by the violation, and the nature of data exposed. A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. OCR received a complaint from a patient who had not been provided with a copy of his medical records. Examples of HIPAA Violations by Nurses Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Issue: Impermissible Uses and Disclosures. Issue: Access. Covered Entity: Health Care Provider Issue: Conditioning Compliance with the Privacy Rule. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait. If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. But it's vital. HIPAA Journal states that if a nurse violates HIPAA, it is important that the incident is reported to the person responsible for HIPAA compliance in your facility or your supervisor. Cancel Any Time. Toll Free Call Center: 1-800-368-1019 OCRs investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospitals OR schedule contained information about the complainants upcoming surgery. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. HIPAA Advice, Email Never Shared The case was settled for $25,000. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. Memphis Commercial Appeal. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record. HIPAA violations don't just occur when a nurse posts something of their own accord. Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. The previous record was the $3.5 million settlement with Triple S Management Corporation agreed in November 2015. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. The revised policy was implemented in the chains' stores nationwide. Penalties for "willful neglect" violations can range from . Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books In response, the hospital instituted a number of actions to achieve compliance with the Privacy Rule. Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. The PHI of 58,106 patients was improperly disposed of during that timeframe. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Read More, The Department of Health and Human Services Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. A mother requested a copy of her sons medical records, but the records had not been provided three months after submitting the request. The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. HIPAA violation penalties are tiered based on the level of negligence determined by the Department of Health and Human Services or the state attorney general. A Georgia man has been sentenced to federal prison in an unusual case in which he portrayed himself as a whistleblower while falsely reporting to authorities that a hospital worker committed criminal HIPAA violations. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology. Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons Read More, Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. The device was not password-protected, and the personal information of over 20,000 patients wasn't encrypted. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. Maybe PHI was in the background unknowingly. Activities considered preparatory to research include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. The OCR investigation determined 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. Read More, Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Radiologist Revises Process for Workers Compensation Disclosures Read More, Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Read more, Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. The medical center had also failed to enter into a BAA with a business associate. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Read More, OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. The nurse explained that the two individuals whose . Read More, Boston Medical Center was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. The data breach exposed the Protected Health Information of 55,000 patients. In more servers cases, or where multiple violations have occurred, the nurse may lose their job. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. Read More, Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Private Practice Revises Process to Provide Access to Records Issue: Impermissible Disclosure. September 05, 2017 - A Kentucky hospital was found to have acted lawfully when it fired a nurse for committing a HIPAA violation, according to the Kentucky Court of Appeals. The case was settled for $100,000. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. The case was settled for $1,040,000. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes.