OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Covered Entity: Private Practice One of the most common HIPAA violations is a result of lost company devices. After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patients authorization, copies of the patients skull x-ray as well as a description of the complainants medical condition. OCR intervened but received a second complaint a month later when the records had still not been provided. OCR settled the case for $3,500. MAPFRE has agreed to a $2,200,000 settlement with OCR. The case was settled for $2,300,000. OCR determined this violated the HIPAA Right of Access provision of the HIPAA Privacy Rule. Physician Revises Faxing Procedures to Safeguard PHI They split the fines and charges into two categories: reasonable cause and willful neglect. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. Covered Entity: Health Care Provider QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own authorization form. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. In fact, even a competent healthcare facility will experience minor HIPAA violation cases at some point. Read More, OCR received a complaint from a patient of Dr. Rajendra Bhayani, a Regal Park, NY-based private practitioner specializing in otolaryngology, alleging he had not provided a patient with a copy of her medical records. Covered Entity: General Hospital Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. The HIPAA Right of Access violation was settled with OCR for $30,000. There may be a viable claim, in some cases, under state laws. Covered Entity: Pharmacies National Pharmacy Chain Extends Protections for PHI on Insurance Cards The case was settled for $3 million. Covered Entity: Private Practice Settlements have previously been agreed upon with healthcare providers, health plans, and business associates of covered entities, but this is the first time OCR has settled potential HIPAA violations with a wireless health services provider. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Departments patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. OCR imposed a civil monetary penalty of $100,000. Dentist Revises Process to Safeguard Medical Alert PHI Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. In addition, the employee who made the disclosure was counseled and given a written warning. University of Texas MD Anderson Cancer Center was ordered to pay a civil monetary penalty of $4,348,000. Penalties for "willful neglect" violations can range from . In many cases, records were only provided after OCR intervened. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have a need to know., Private Practice Ceases Conditioning of Compliance with the Privacy Rule A pharmacy employee placed a customer's insurance card in another customer's prescription bag. Mental Health Center Provides Access and Revises Policies and Procedures Issue: Minimum Necessary; Confidential Communications. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). Read More, All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes. Covered Entity: Private Practices 200 Independence Avenue, S.W. The default security settings were left in place, which allowed any individual with an Internet connection to gain access to the ePHI in the files. The records were provided on September 14, 2020. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. Large Health System Restricts Provider's Use of Patient Records Radiologist Revises Process for Workers Compensation Disclosures OCR also discovered a business associate failure. Issue: Safeguards, Minimum Necessary. CNE is required to pay a financial penalty of $400,000 and must adopt a comprehensive Corrective Action Plan (CAP) to address various areas of HIPAA non-compliance. CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. Issue: Safeguards; Impermissible Uses and Disclosures. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Read More, Presence Health, one of the largest healthcare networks serving residents of Illinois, has agreed to pay OCR $475,000 to settle potential HIPAA Breach Notification Rule violations. Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Washington, D.C. 20201 Toll Free Call Center: 1-800-368-1019 Issue: Access. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information. HIPAA violation penalties are tiered based on the level of negligence determined by the Department of Health and Human Services or the state attorney general. Read More, The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Covered Entity: Health Care Provider The paperwork was taken by a member of the public who sold the material to a recycling facility. Read More, OCR investigated three breaches involving the loss of a laptop computer and two unencrypted thumb drives containing patients PHI. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctors driveway while he was out of the house. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from patients. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. The case was settled for $2.175 million. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR scheduled with the complainants supervisor, who was not part of the employee's treatment team, and did not need the information for payment, health care operations, or other permissible purposes. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. Read More, Elite Primary Care is a provider of primary health services in Georgia. Gossip is a casual conversation about other people which can be positive, neutral, or negative. The claim included the patients test results. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patients home telephone number, despite the patients instructions to contact her through her work number. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Issue: Impermissible Disclosure; Confidential Communications. The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance. The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction of the municipal social service agency. Covered Entity: Outpatient Facility The case was settled for $160,000. A settlement of $500,000 was agreed upon to resolve the alleged HIPAA violations. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. Read More, Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Case Examples. A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. Within the space of three months, the protected health information of over 7,000 patients was exposed. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Read More, Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. OCR received a complaint from a patient who had not been provided with her medical records after a 2-month wait.