nurse hipaa violation cases

Had software patches been installed on the computers the malware would not have been unable to infect the PCs. By 2011, the UCLA Health System would agree to pay a fine of $865,000 to settle HIPAA privacy violations at its three hospitals. The HIPAA Right of Access violation was settled with OCR for $30,000. A radiology practice that interpreted a hospital patients imaging tests submitted a workers compensation claim to the patients employer. Therefore you should assess employees security awareness as part of a risk analysis to see if more training is required. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII. Issue: Conditioning Compliance with the Privacy Rule. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. State Hospital Sanctions Employees for Disclosing Patient's PHI The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). Copyright 2014-2023 HIPAA Journal. Receive weekly HIPAA news directly via email, HIPAA News OCR intervened and closed the case but received a second complaint a year later alleging the records had still not been provided. Toll Free Call Center: 1-800-368-1019 Read More, Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. Improper Disposal HIPAA rules state medical professionals must dispose of PHI in a secure manner. $("#wpforms-form-28602 .wpforms-submit-container").appendTo(".submit-placement"); HIPAA violations are not uncommon. The chain acknowledged that log books contained protected health information and implemented the required changes. OCR intervened and the records were provided 8 months after the initial request. September 05, 2017 - A Kentucky hospital was found to have acted lawfully when it fired a nurse for committing a HIPAA violation, according to the Kentucky Court of Appeals. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. The case was settled for $1,250,000. OCR also found the Notice of Privacy Practices to be inadequate. Gossip is a casual conversation about other people which can be positive, neutral, or negative. Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. The case was settled for $36,000. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. Read More, Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. The impermissible disclosures of PHI resulted in a $10,000 settlement. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Washington, D.C. 20201 If a nurse breaches HIPAA, a patient cannot sue the nurse directly for a HIPAA breach. Read More. The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. Physician Revises Faxing Procedures to Safeguard PHI Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Issue: Impermissible Disclosure; Confidential Communications. All rights reserved. Alternatively, financial penalties can be imposed if a breach of ePHI violates state laws. That's almost an hour devoted to talking about someone else. In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Comments and replies to someone else's post, chat room gossip (even if it's a private room) or leaving a review on a site like Yelp opens the door for potential HIPAA violations. An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. The case was settled for $200,000. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. It took 225 days from the initial request for the records to be provided. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. Read more, In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. Issue: Safeguards, Minimum Necessary. The case was settled with OCR for $300,640. Cornell Pharmacy is a single-location healthcare provider that mostly serves hospice care organizations in Denver and provides compound medications. The case was settled for $202,400. Read More, Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the centers employees. OCR settled the case for $65,000. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. A settlement was agreed upon with OCR that included a $25,000 penalty. State Attorney Generals can also impose financial penalties on HIPAA-covered entities and business associates for violations of the HIPAA Rules. Disciplinary actions are part of the public record. Read More, Oregon Health & Science University (OHSU) has agreed to settle a case with the Department of Health and Human Services Office for Civil Rights stemming from two data breaches experienced in 2013. Covered Entity: Mental Health Center Read More, Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. jQuery( document ).ready(function($) { OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. OCR intervened but received a second complaint a month later when the records had still not been provided. If an organization fails to take corrective action after having been issued a fine, the HHS Office of Civil Rights can impose subsequent fines. Private Practice Revises Process to Provide Access to Records Since HIPAA's enactment in 1996, we've witnessed almost 20 reported cases of unauthorized personnel looking up the medical records of celebrities. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. Read More, After the permanent closure of the company, paperwork containing former patients PHI was discarded by FileFax. Radiologist Revises Process for Workers Compensation Disclosures A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. OCR confirmed that PHI had been disclosed without an authorization from the patient and that there had been no sanctions against the physician responsible, despite being warned in advance not to disclose any PHI. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Covered Entity: Multi-Hospital Healthcare Provider Some of these were HIPAA violations from employees posting a patient's protected health information (PHI) the social web. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment Read More, The Department of Health and Human Services Office for Civil Rights has announced it has arrived at a settlement with Care New England Health System (CNE) to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The case was settled for $62,500. Covered Entity: Private Practice The case was settled for $6,850,000. The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. Fines for "reasonable cause" violations range from $100 to $50,000. Issue: Safeguards. Read More, OCR received a complaint from a patient of NY Spine, a private New York medical practice, who alleged she had not been provided with a copy of the diagnostic films that she specifically requested. Prison Time for Scheme to Frame Nurse for HIPAA Violations. The man sued the clinic, even though it had already dismissed the nurse from her job. A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. HHS Even though it is not done maliciously. PHI had been intentionally provided to the media on three separate occasions. It did not change the maximum penalty for a violation, which means that the maximum penalty for a tier 1 violation is higher than the annual penalty cap, but for as long as the notice of enforcement discretion is in effect, the maximum penalty per year applies. Read More, Housing Works, Inc. is a New York City-based non-profit healthcare organization that provides healthcare, homeless services, and legal aid support for people affected by HIV/AIDS. Read More, Phoenix, AZ-based Banner Health is one of the largest healthcare systems in the United States. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. The hospital also trained relevant staff members on the new procedures. Read more, Ridgewood, NJ-based Village Plastic Surgeryfailed to provide a patient with timely access to the requested medical records. MAPFRE has agreed to a $2,200,000 settlement with OCR. The HIPAA Right of Access violation was settled with OCR for $30,000. An Accusation is a legal document formally charging a registered nurse with a violation (s) of the Nursing Practice Act, and notifying the public that a disciplinary action is pending against that nurse. An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Issue: Impermissible Disclosure-Research. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. Mental Health Center Provides Access after Denial FileFax agreed to settle the alleged HIPAA violations for $100,000. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. 3 Examples of HIPAA Violation Cases Example #1: When it comes to HIPAA, curiosity can kill the cat or your career. A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the systems organized health care arrangement impermissibly accessed the medical records of her ex-husband. Covered Entity: Pharmacies Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement.