HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Issue: Impermissible Uses and Disclosures. Read More, MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. Another potential HIPAA violation that's easily overlooked is discussing information over the phone. Employees also were trained to review registration information for patient contact directives regarding leaving messages. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Covered Entity: Pharmacies 1. Issue: Impermissible Uses and Disclosures; Authorizations. 4 . Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. Your Privacy Respected Please see HIPAA Journal privacy policy. 6) Keep Thoughts to Yourself. Issue: Impermissible Disclosure. Covered Entity: Private Practices OCR settled the case for $55,000. A study found that the average person spends about 52 minutes per day engaging in this type of conversation. The first bar in the group of three per year represents the complaints closed in which there was no violation, the second in which there was corrective action, and the third reflects the total closures. All Case Examples. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. The case was settled for $15,000. It took multiple requests and almost 5 months for all of the requested medical records to be provided. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. Read More, Family Dental Care, P.C. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); There may be a viable claim, in some cases, under state privacy laws. Covered Entity: Private Practice There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Read More, All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. However, up to 500 cases per year result in a fine and/or corrective action being required. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. To resolve this matter, the covered entity refunded the $100.00 records review fee., Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety The case was settled for $65,000. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. TTD Number: 1-800-537-7697, Content created by Office for Civil Rights (OCR), U.S. Department of Health & Human Services, has sub items, about Compliance & Enforcement, has sub items, about Covered Entities & Business Associates, Other Administrative Simplification Rules. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. Read More, Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. An organizations willingness to assist with an investigation is also taken into account. The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction of the municipal social service agency. The case was settled for $850,000. In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. Even posts that seem well-meaning can violate privacy and confidentiality. Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of "HIPAA . OCRs investigators identified a risk analysis failure, a lack of reviews of system activity, a failure to verify identity for access to PHI, and insufficient technical safeguards. Read More, King MD is a small provider of psychiatric services in Virginia. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. OCRs investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records. The case was settled for $25,000. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan. In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing civil monetary penalties imposed. In the first half of 2018, more than 56% of the 4.5 billion compromised data records were from social media incidents. OCR investigated and found multiple violations of the HIPAA Rules including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. Read More, Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. In more servers cases, or where multiple violations have occurred, the nurse may lose their job. In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. The case was settled for $15,000. The HIPAA Right of Access violation was settled with OCR for $160,000. HIPAA Violations: Nurse Looked At Her Mother's, Sister's Charts, Termination Upheld. Covered Entity: Health Plans A covered entitys obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patients silence. However, the court also legitimized private cause for action in HIPAA lawsuits, which could set a precedent for HIPAA related legal action. Read More, An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. Washington, D.C. 20201 Toll Free Call Center: 1-800-368-1019 Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. Case Examples by Covered Entity. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. Moreover, the entity was required to train of all staff on the revised policy. There are four different HIPAA violation classifications which rank the level of an organizations willful neglect, and four penalty tiers depending on factors such as the length of time a violation was allowed to continue after being discovered, the number of people affected by the violation, and the nature of data exposed. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. The case was settled with OCR and a 23,000 financial penalty was imposed. Read More, A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. Read More, OCR has announced a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations. Read More, Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. Read More, Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. Covered Entity: Private Practice Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. Read More, OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. Mental Health Center Corrects Process for Providing Notice of Privacy Practices Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. St. Joseph Health has agreed to pay OCR $2,140,500. Some cases also can result in imprisonment up to one year for a standard violation and imprisonment for up to five years for a violation committed under false pretenses. A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. 8. Read More, Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. OCR provided technical assistance but received another complaint from the same patient that the records had still not been provided. The four categories range from unknowing violations to willful disregard of HIPAA rules. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record. Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. For example, texting or calling a coworker to ask about a shared patient's case would be a HIPAA violation.