nurse hipaa violation cases
This discrepancy is expected to be addressed through further rulemaking to make the new penalty structure permanent. Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. Read more, Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patients attorney with a copy of her medical and billing records within 30 days. Activities considered preparatory to research include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants. The records were provided on September 14, 2020. Issue: Impermissible Uses and Disclosures; Safeguards. Issue: Impermissible Use. OCR also identified issues with the notice of privacy practices and there was no HIPAA privacy officer. Issue: Impermissible Uses and Disclosures; Authorizations. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. Issue: Impermissible Use and Disclosure, A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. Anthem agreed to a record-breaking settlement of $16,000,000 to resolve the case. By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. A state health sciences center disclosed protected health information to a complainant's employer without authorization. Content created by Office for Civil Rights (OCR) Content last reviewed December 23, 2022. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. Issue: Impermissible Uses and Disclosures. The case was settled for $100,000. Read More, King MD is a small provider of psychiatric services in Virginia. An Accusation is a legal document formally charging a registered nurse with a violation (s) of the Nursing Practice Act, and notifying the public that a disciplinary action is pending against that nurse. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement. Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000. A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. Covered Entity: General Hospital Issue: Minimum Necessary; Confidential Communications. Convicted of a crime substantially related to the qualifications, functions, and duties of an RN: Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020. To avoid these, a proactive approach should include a regular risk assessment and corrective action plan. A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Nurses HIPAA Violation Examples The list of potential HIPAA violations by nurses is long so the most commonly experienced nurse HIPAA violations are listed below: OCR received a complaint from a patient who had not been provided with a copy of his medical records. Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? Issue: Safeguards. If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. Covered Entity: General Hospitals Read More, Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. In April 2019, OCR reexamined the HITECH Act and determined the language had been misinterpreted and issued a Notice of Enforcement Discretion stating the maximum annual penalties in each penalty tier would be changed to reflect the seriousness of the violations. A nurse working at a clinic in New York became one of many HIPAA violation examples when her sister-in-law's boyfriend was diagnosed with an STD (sexually transmitted disease). An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. Read More, OCR investigated a complaint from a mother who requested a copy of her sons medical records from St. Josephs Hospital and Medical Center but had not been provided with a complete set of the records. Aim: This study aimed to evaluate nurses' ability to evaluate ethical violations to hypothetical case studies involving social media use. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customers PHI. The case was settled for $3 million. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Issue: Conditioning Compliance with the Privacy Rule. Read More, Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. The case was settled for $850,000. OCR required the covered entity to cease using the patient agreement that conditioned the entitys compliance with the Privacy Rule. A radiology practice that interpreted a hospital patients imaging tests submitted a workers compensation claim to the patients employer. Read more, Arbour Hospital, a mental health clinic in Boston, MA, failed to provide a patient with the requested medical records within 30 days. Covered Entity: General Hospital Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. The nurse explained that the two individuals whose . Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. Read More, OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. Delaware Co. June 5, 2012). Issue: Safeguards. Read More, The settlement relates to the impermissible disclosure of the electronic protected health information of 2,209 patients in 2011. The case was settled for $1,000,000. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Scott Harris and the rest of our team at S J Harris Law will be ready to help you pursue any option available that allows you to keep your license and continue working, no matter what industry you are in. An organizations willingness to assist with an investigation is also taken into account. The acknowledgement form is now included in the intake package of forms. Memphis Commercial Appeal. We've aggregated the ultimate list of reported celebrity HIPAA violations. Providence Health & Services. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. Issue: Impermissible Use and Disclosure. OCR settled the case for $30,000. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Issue: Impermissible Uses and Disclosures. Read more, In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. OCR settled the case for $22,500. Covered Entity: Health Care Provider The penalties for HIPAA violations through the OCR are as follows: Tier 1: Minimum fine of $100 per violation, up to $50,000 Tier 2: Minimum fine of $1,000 per violation, up to $50,000 Tier 3: Minimum fine of $10,000 per violation, up to $50,000 Tier 4: Minimum fine of $50,000 per violation The case was settled for $6,850,000. OCR settled the case for $3,500. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. Issue: Impermissible Uses and Disclosures; Authorizations. Some cases also can result in imprisonment up to one year for a standard violation and imprisonment for up to five years for a violation committed under false pretenses. OCR determined there had been risk analysis failures, insufficient reviews of system activity, a failure to respond adequately to a detected breach, and insufficient technical controls to prevent unauthorized ePHI access. Read More, WellPoint is one of the largest providers of Affiliated Health Plans, with almost 36 million policyholders across the United States. Read More, ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. Read More, The Department of Health and Human Services Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. OCR settled the case for $55,000. The case was settled for $1,500,000. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. The HIPAA Right of Access violation was settled with OCR for $30,000. Read More, An OCR investigation into an impermissible disclosure of 9,255 individuals PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. OCR determined that there had been an impermissible disclosure of 34,883 patients ePHI due to a lack of encryption. The server had been purchased and a file-sharing application was installed, yet no changes were made to the application. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction of the municipal social service agency. OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019 Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients' Protected Health Information - October 2, 2019 OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019 Nope. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Read More, An article published in the LA Times started a sequence of events that has now resulted in Shasta Regional Medical Center (SRMC) agreeing to a settlement of $275,000 for its violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. Read More, Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. Read More, The Department of Health and Human Services Office for Civil Rights has sent another warning to HIPAA-covered entities about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors prior to disclosing any protected health information. The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. The nurse sent six text messages, warning the man's girlfriend about the disease. The last update to the HIPAA violation penalty amounts applies to cases assessed on or after March 17, 2022, as detailed in the table below: *Table last updated in March 2022. The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records. Covered Entity: General Hospital HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII. When you're discussing a patient's information on the phone, you need to be in a private place where others can't hear you. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. The case was settled for $2.175 million. Covered Entity: Mental Health Center The man sued the clinic, even though it had already dismissed the nurse from her job. Delivered via email so please ensure you enter your email address correctly. The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCRs investigation indicated that the disclosures did not meet the Privacy Rules standard for such actions. The case was settled for $25,000. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. Since HIPAA's enactment in 1996, we've witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. Read More, An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. Issue: Impermissible Uses and Disclosures; Business Associates. This case study involving one nursing education program's experience with a HIPAA violation illustrates how one nursing college dealt with a student's HIPAA . Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. Mental Health Center Provides Access after Denial OCR investigated and found multiple potential HIPAA violations such as the failure to conduct a thorough risk analysis, risk management failures, and insufficient mechanisms to identify suspicious network activity. Triple S was also required to pay a HIPAA violation penalty of $6.8 million to the Puerto Rico Health Insurance Administration for a failure to comply with the Health Insurance Portability and Accountability Acts Privacy Rule last year, although the HIPAA violation fine was reduced to $1.5 million on appeal. A covered entitys obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patients silence. The records were provided within days of OCR intervening. The chain acknowledged that log books contained protected health information and implemented the required changes. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions Read More, Wise Psychiatry is a small provider of psychiatric services in Colorado. A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. Read More, Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. Failure to report a violation could have serious consequences. However, the patient was not covered by workers compensation and had not identified workers compensation as responsible for payment. Read More, After the permanent closure of the company, paperwork containing former patients PHI was discarded by FileFax. The hospital also trained relevant staff members on the new procedures. During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. Issue: Safeguards, Minimum Necessary. In 2015, Premera discovered there had been a breach of the ePHI of 10,466,692 individuals. The Paubox team exported all reported incidents from HHS's official Breach Portal from January 1, 2019 - December 31, 2019 and used the data to compile the following summary. OCR investigated and identified longstanding, systemic noncompliance with the HIPAA Security Rule, including risk analysis and risk management failures, and the failure to provide security awareness training to employees. Covered Entity: Private Practice In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. Prison Time for Scheme to Frame Nurse for HIPAA Violations. HIPAA violations don't just occur when a nurse posts something of their own accord. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. Large Health System Restricts Provider's Use of Patient Records Read More, Cancer Care Group, an Indiana-based radiation oncology private physician practice, has agreed to settle with the Department of Health and Human Services Office for Civil Rights for $750,000, for potential HIPAA violations relating to a 2012 data breach. HIPAA violation penalties are tiered based on the level of negligence determined by the Department of Health and Human Services or the state attorney general. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients ePHI. It took multiple requests and almost 5 months for all of the requested medical records to be provided. The Notice of Enforcement Discretion only applied a cap to each violation tier. Back to Top Enforcement Highlights and Numbers at a Glance Current Enforcement Highlights Enforcement Highlights Archived by Month Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Issue: Access. Improper Disposal HIPAA rules state medical professionals must dispose of PHI in a secure manner. OCR discovered risk analysis failures, a lack of policies covering electronic devices, a lack of encryption or alternative safeguards, insufficient security policies, and insufficient physical safeguards, resulting in an impermissible disclosure of 521 individuals PHI. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines.