nurse hipaa violation cases nurse hipaa violation cases

Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. Brigham and Womens Hospital agreed to settle the alleged HIPAA violations with OCR for $384,000. Sentara Hospitals reported the breach to OCR as having impacted 8 individuals. Covered Entity: Outpatient Facility Read More, New England Dermatology and Laser Center in Massachusetts disposed of empty specimen containers in regular dumpsters between February 4, 2011, and March 31, 2021. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment OCR settled the case for $240,000. Covered Entity: Private Practices A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. It took 5 months from the initial request for the complete set of medical records to be provided. National Pharmacy Chain Extends Protections for PHI on Insurance Cards Read More, The Department of Health and Human Services Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Issue: Access. Read More, The Department of Health and Human Services Office for Civil Rights has agreed to a $650,000 settlement with University of Massachusetts Amherst (UMass). Read More. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. OCR intervened and provided technical assistance, but it took 16 months for the records to be provided. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. Convicted of a crime substantially related to the qualifications, functions, and duties of an RN: Now add up that time for a week, a month, or even a year. Issue: Access, Restrictions. In nursing education, a HIPAA violation made by a nursing student could result in a variety of disciplinary actions including termination but is rarely discussed in nursing literature. A contested hearing took place, and the board found the nurse: In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. Covered Entity: Health Plans / HMOs Read More, A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. Issue: Impermissible Uses and Disclosures; Authorizations. Issue: Safeguards. Read More, Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. A settlement of $150,000 has been reached with OCR. In more servers cases, or where multiple violations have occurred, the nurse may lose their job. Covered Entity: Private Practice Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. St. Lukes-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. OCR also found the Notice of Privacy Practices to be inadequate. Private Practice Provides Access to All Records, Regardless of Source Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. The case was settled for $65,000. Read More, An OCR investigation into an impermissible disclosure of 9,255 individuals PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. A settlement of $85,000 was agreed upon to resolve the violation. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. Employees also were trained to review registration information for patient contact directives regarding leaving messages. The financial consequences of violating HIPAA depend on the level of negligence and if a breach has occurred the number of records potentially exposed by the breach and the risk posed by the unauthorized disclosure: The figures listed above represent the fines that can be imposed by OCR. The revised policy was implemented in the chains' stores nationwide. OCR intervened and the records were provided 8 months after the initial request. renewals of licenses or APRN authorizations, or both. Lahey Hospital and Medical Center has agreed to pay $850,000 to settle the case without admission of liability. Read More, The Department of Health and Human Services Office for Civil Rights announced a new HIPAA settlement to resolve violations of the HIPAA Privacy Rule. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation. These cases include civil monetary penalties, where it has been established that HIPAA Rules have been violated, and settlements, where HIPAA violations have been alleged to have occurred but the covered entity or business associate has decided not to contest the case and has instead chosen to pay a financial penalty to resolve the potential HIPAA violations with no admission of liability. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR. The HIPAA Right of Access violation was settled with OCR for $70,000. Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from workers compensation carriers before submitting test results to them. Gossip is a casual conversation about other people which can be positive, neutral, or negative. A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. In some severe cases, yes, nurses can lose their jobs if they violate HIPAA. > All Case Examples, Hospital Implements New Minimum Necessary Polices for Telephone Messages The case was settled for $850,000. On Tuesday, the Department of Justice said Jeffrey Parker of Rincon . Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena The case was settled for $5,100,000. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. Issue: Impermissible Uses and Disclosures. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. Taking this into account, the figures OCR is working with are detailed in the table below and will apply indefinitely, until the next increase to account for inflation. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. Nurses HIPAA Violation Examples The list of potential HIPAA violations by nurses is long so the most commonly experienced nurse HIPAA violations are listed below: Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes. One of the most common HIPAA violations is a result of lost company devices. The hospital disciplined and retrained the employee who made the impermissible disclosure. After OCR notified the entity of the allegation, the entity released the complainants medical records but also billed him $100.00 for a records review fee as well as an administrative fee. OCR provided technical assistance and closed the case, but the records were still not provided. Violations related to HIPAA laws have serious consequences, including job loss and other penalties. When you're discussing a patient's information on the phone, you need to be in a private place where others can't hear you. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, media notification failure. The 2020 increase is largely due to OCRs HIPAA Right of Access enforcement initiative, which was launched in late 2019. Case Examples by Covered Entity. A pharmacy employee placed a customer's insurance card in another customer's prescription bag. Improper Disposal HIPAA rules state medical professionals must dispose of PHI in a secure manner. The nurse in question sent out six text messages to warn the patient's girlfriend about his STD. Pharmacy Chain Enters into Business Associate Agreement with Law Firm Providence Health & Services. Read More, Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. Covered Entity: Health Plans A violation of HIPAA attributable to ignorance can attract a fine of $100 $50,000. Read More, Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read More, Life Hope Labs, LLC, in Sandy Springs, Georgia, failed to provide an individual with the medical records of her deceased father in a timely manner. This was OCRs first settlement under the 2019 HIPAA Right of Access enforcement initiative. In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. All rights reserved. The case was settled for $100,000. Private Practice Revises Policies and Procedures Addressing Activities Preparatory to Research A penalty of $2.7 million will be paid by OHSU to settle alleged HIPAA violations without admission of liability. Issue: Minimum Necessary; Confidential Communications. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has reached a settlement with North Memorial Health Care of Minnesota over alleged HIPAA violations from a 2011 data breach. Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Covered Entity: Health Care Provider The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. Read More, A patient of Elite Dental Associates submitted a complaint to OCR stating her PHI had been disclosed by Elite Dental Associates in response to a review on Yelp. The device contained a range of patients ePHI, including full names, Social Security numbers, and dates of birth. Read more, Wake Health Medical Group, a Raleigh, NC-based provider of primary care and other health care services, failed to provide a patient with timely access to the requested medical records. Read More, Fallbrook Family Health Center in Nebraska failed to provide a patient with timely access to the requested medical records. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. OCR determined its compliance program had been in disarray for several years. Toll Free Call Center: 1-800-368-1019 Read More, Danbury Psychiatric Consultants in Massachusetts received a request for medical records on March 24, 2020, but access to the records was refused due to an outstanding bill. In addition, the covered entity forwarded the complainant a complete copy of the medical record. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII. OCR settled the case for $5,000. HMORevises Process to Obtain Valid Authorizations The data breach exposed the Protected Health Information of 55,000 patients. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. The first bar in the group of three per year represents the complaints closed in which there was no violation, the second in which there was corrective action, and the third reflects the total closures. OCR settled the case for $20,000. Read More, On May 9, 2014, Touchstone Medical Imaging was informed by the FBI that one of its FTP servers was accessible over the Internet and allowed anonymous connections to a shared directory. In 2017, Lifespan mentioned in a news release that someone broke into an employee vehicle and stole their work laptop. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. The case was settled with OCR for $300,640. Even posts that seem well-meaning can violate privacy and confidentiality. Covered Entity: Mental Health Center Read more, Renown Health, a not-for-profit healthcare network in Northern Nevada, failed to provide a patients attorney with a copy of her medical and billing records within 30 days. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. 164.308(a)(1)(ii)(B). PHI had been intentionally provided to the media on three separate occasions. The impermissible disclosures of PHI resulted in a $10,000 settlement. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. The minimum fines are $100 per violation for tier 1, $1,000 per violation for tier 2, $10,000 per violation for tier 3, and $50,000 per violation for tier 4. Read More, An investigation into Anthem Incs massive 78.8 million-record data breach of 2015 revealed multiple HIPAA violations. The HIPAA Right of Access violation was settled with OCR for $10,000. This will have long-lasting ramifications. The cost-of-living adjustment multiplier for 2023 is 1.07745, but this has not officially been applied by the HHS. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Also, computer screens displaying patient information were easily visible to patients. Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety. Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. Issue: Conditioning Compliance with the Privacy Rule. Covered Entity: General Hospital Read More, OCR investigated a complaint from a mother who requested a copy of her sons medical records from St. Josephs Hospital and Medical Center but had not been provided with a complete set of the records. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. The case was contested, but an administrative law judge ruled in favor of OCR. OCR determined the lack of encryption was in violation of the HIPAA Security Rule, there were insufficient device and media controls, and a business associate agreement had not been entered into with its parent company. Issue: Safeguards, Minimum Necessary. Large Medicaid Plan Corrects Vulnerability that Resulted in Dsiclosure to Non-BA Vendors QCA Health Plan has agreed to settle the HIPAA violations with OCR for $250,000. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. Covered Entity: General Hospital Paige. Mental Health Center Provides Access after Denial Read More, Office for Civil Rights has issued a statement confirming that an agreement has been reached with Adult & Pediatric Dermatology, P.C., of Concord, Massachusetts following the accidental disclosure of approximately 2,200 patients after a memory stick was stolen from the car of one of the centers employees. Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books Dentist Revises Process to Safeguard Medical Alert PHI OCR settled the case for $22,500. I personally would not expect a student to fully understand these things; correction and education would be in order rather than exaggerating the offenses to the level of HIPAA violation. OCR imposed a civil monetary penalty of $100,000. Here are the top five misconceptions about FERPA and HIPAA that I regularly address in my work with schools. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Read more, In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. Read More, Puerto Rico Blue Cross Blue Shield licensee Triple S Management Corporation has agreed to pay a HIPAA violation fine of $3.5 million to the Department of Health and Human Services Office for Civil Rights. Some of these were accidental. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. Read More, Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. The case was settled for $1,000,000. By increasing its enforcement activity, OCR is sending a message to all covered entities, large and small, that violations of HIPAA Rules will not be tolerated. FileFax agreed to settle the alleged HIPAA violations for $100,000. OCR settled the case for $55,000. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. Washington, D.C. 20201 Covered Entity: General Hospital HIPAA Journal states that if a nurse violates HIPAA, it is important that the incident is reported to the person responsible for HIPAA compliance in your facility or your supervisor. The directory contained files that included the protected health information (PHI) of 307,839 individuals. A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided.