nurse hipaa violation cases nurse hipaa violation cases

Some of these were accidental. Back to Top Enforcement Highlights and Numbers at a Glance Current Enforcement Highlights Enforcement Highlights Archived by Month Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Read More, Skagit County, Washington is paying the price for failing to implement the appropriate controls and safeguards to protect the data it held. 164.308(a)(1)(ii)(B). Read More, Office for Civil Rights has announced a settlement of $1,215,780 has been reached with Affinity Health Plan, Inc., to resolve potential HIPAA violations discovered during a breach investigation. Read More, A $2.5 million settlement has been agreed upon with CardioNet to resolve potential HIPAA violations. Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. Corinne S Kennedy. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. The case was settled for $100,000. Issue: Impermissible Disclosure; Confidential Communications. All rights reserved. Skagit County agreed to pay OCR $215,000 following the exposure of data of seven individuals. Read more, In 2015, Excellus Health Plan reported a breach of the ePHI of 9,358,891 individuals. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. Issue: Safeguards. Another potential HIPAA violation that's easily overlooked is discussing information over the phone. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it. Between 2005 and 2019, healthcare data breaches affected nearly 250 million people. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. Issue: Safeguards, Minimum Necessary. OCR has increased its enforcement activities in recent years. Covered Entity: Private Practice OCR settled the case for $30,000. Read More, Washington, NC-based Metropolitan Community Health Services is a Federally Qualified Health Center. The Center for Childrens Digestive Health (CCDH); a small 7-center pediatric subspecialty practice based in Park Ridge, Illinois has agreed to pay OCR $31,000 to resolve potential HIPAA violations. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. 4) Loss or Theft of Devices. After OCR intervened, the records were provided, but it took 22 months from the initial date of the request. Covered Entity: General Hospital Covered Entity: General Hospital Criminal violations of HIPAA Rules are dealt with by the U.S. Department of Justice. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patients home telephone number, despite the patients instructions to contact her through her work number. Read More. HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000. Read More, An OCR investigation into an impermissible disclosure of 9,255 individuals PHI by Advanced Care Hospitalists, a business associate of a HIPAA-covered entity, revealed serious HIPAA compliance failures including a lack of a BAA, insufficient security measures to protect ePHI, and no documentation showing there had been any HIPAA compliance efforts prior to April 1, 2014. Disciplinary actions are part of the public record. Issue: Impermissible Uses and Disclosures; Authorizations. Even though it is not done maliciously. The nonprofit teaching hospital has also agreed to adopt the OCRs corrective action plan to address HIPAA-compliance issues discovered by OCR investigators. Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. Large Health System Restricts Provider's Use of Patient Records In August 2012, Cancer Care Group discovered a laptop computer and unencrypted backup drive had been stolen from the vehicle of an employee. It took multiple requests and almost 5 months for all of the requested medical records to be provided. A good example of this is a laptop that is stolen. The chain acknowledged that log books contained protected health information and implemented the required changes. There are two key events to consider when looking at the timeline of penalties for HIPAA violations the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault. Without a properly executed agreement, a covered entity may not disclose PHI to its law firm. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. > HIPAA Compliance and Enforcement 8. A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. Improper Disposal HIPAA rules state medical professionals must dispose of PHI in a secure manner. After the investigation, Ms D was informed that she was being terminated from her job based on her violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) for . As HIPAA violations are so severe, and may result in huge fines for Covered Entities, if . A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Among other corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records. Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. Had software patches been installed on the computers the malware would not have been unable to infect the PCs. A complaint alleged that an HMO impermissibly disclosed a member's PHI, when it sent her entire medical record to a disability insurance company without her authorization. Read More, Memorial Hermann Health System agreed to settle potential HIPAA Privacy Rule violations with the Department of Health and Human Services Office for Civil Rights for $2.4 million. Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. Private Practice Revises Process to Provide Access to Records Regardless of Payment Source The paperwork was taken by a member of the public who sold the material to a recycling facility. OCR intervened and closed the case but received a second complaint 6 months after the first stating the records had still not been provided. HIPAA Fails Kim Kardashian In 2013, medical employees decided to "Keep Up With The Kardashians," and it cost them their jobs. CHCS failed to perform a comprehensive risk analysis since September 23, 2013. An organizations willingness to assist with an investigation is also taken into account. An organizations prior history with regard to HIPAA non-compliance can also be a contributory factor in the calculation of penalties for HIPAA violations and therefore a second or subsequent fine will likely be much larger than the first. Unprotected storage of private health information can be an issue. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. The data breach investigation revealed a substandard security management process and a catalog of HIPAA Security Rule violations. Read More, Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. Receive weekly HIPAA news directly via email, HIPAA News This case study involving one nursing education program's experience with a HIPAA violation illustrates how one nursing college dealt with a student's HIPAA . In more servers cases, or where multiple violations have occurred, the nurse may lose their job. Read More, Idaho State Universitys Pocatello Family Medicine Clinic disabled the firewall that was protecting a server containing the medical health records of 17,500 patients. Read More, All Inclusive Medical Services, Inc. (AIMS) is a Carmichael, CA-based multi-specialty family medicine clinic. Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of "HIPAA . A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. Since then, OCR has been cracking down on entities that have failed to provide individuals with timely access to their medical records. Read More, Orlando, FL-based primary care provider, Health Specialists of Central Florida Inc., was investigated by OCR after receipt of a complaint from a woman who had not been provided with a copy of her deceased fathers medical records. OCR settled the case for $55,000. Cancel Any Time. The device was not protected by a password and data on the device was not encrypted. U.S. Department of Health & Human Services 200 Independence Avenue, S.W. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Covered Entity: Health Care Provider Physician Revises Faxing Procedures to Safeguard PHI Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. But violations are also quite serious. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . Convicted of a crime substantially related to the qualifications, functions, and duties of an RN: MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The case was settled for $3 million. Issue: Access. OCR determined there had been a risk analysis failure and the case was settled for $100,000. Background: Inappropriate use of social media necessitates health institutes, academic institutes, nurses and educators to consider occupational ethical principles while creating a policy and guide on the usage of social media. However, the patient was not covered by workers compensation and had not identified workers compensation as responsible for payment. The Board can report disciplinary actions to other agencies that oversee nursing licenses. The device was not password-protected, and the personal information of over 20,000 patients wasn't encrypted. Issue: Access. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. Read More, Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Read More, OCR has just announced it has agreed to the largest ever HIPAA settlement with a single covered entity. HIPAA requires nurses and other health care professionals to report any violations they witness, even if they recognize it was accidental. Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Issue: Impermissible Use. Presence Health took three months to issue breach notifications when the Breach Notification Rule requires notifications to be sent within 60 days of the discovery of a breach. OCR investigated and discovered similar privacy violations had occurred responding to patient reviews. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. The case was settled for $1,250,000. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the records had still not been provided. Not necessary. A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. Covered Entity: Multi-Hospital Healthcare Provider The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. The case was settled and a financial penalty of $28,000 was paid. Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. Below are details of 47 incidents since 2012 in which workers at nursing homes and assisted-living centers shared photos or videos of residents on social media networks. HIPAA Violations: Nurse Looked At Her Mother's, Sister's Charts, Termination Upheld. In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. Nurse Pleads Guilty to HIPAA Violation A licensed practical nurse who pled guilty to wrongfully disclosing a patient's health information for personal gain faces a maximum penalty of 10 years imprisonment, a $250,000 fine or both. Read More, The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Read More, A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. Private Practice Revises Process to Provide Access to Records The acknowledgement form is now included in the intake package of forms. The case was settled for $2,300,000. The settlement resolves HIPAA violations that contributed to the university experiencing a malware infection in 2013. Issue: Impermissible Disclosure. This discrepancy is expected to be addressed through further rulemaking to make the new penalty structure permanent. Covered Entity: Mental Health Center A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan. Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena After being notified by OCR about a proposed fine of $105,000, Dr. Brockley requested a hearing with an Administrative Law Judge, but settled out of court and agreed to a fine of $30,000. Jail Nursing: No Deliberate Issue: Access, Restrictions. Issue: Impermissible Uses and Disclosures; Authorizations. Read More, Steven A. Porter, M.D.s gastroenterological practice in Ogden, UT reported a breach to OCR involving a medical record company that was blocking access to patients ePHI until a bill was paid. Covered Entity: Health Plans HHS Read More, A patient of University of Cincinnati Medical Center filed a complaint with OCR after not being provided with her requested records more than 13 weeks after submitting a request. Covered Entity: Private Practice Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. Pharmacy Chain Revises Process for Disclosures to Law Enforcement The HIPAA Right of Access violation was settled with OCR for $10,000. Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety. We've aggregated the ultimate list of reported celebrity HIPAA violations. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. Covered Entity: Outpatient Facility A nurse working at a clinic in New York became one of many HIPAA violation examples when her sister-in-law's boyfriend was diagnosed with an STD (sexually transmitted disease). Covered Entity: General Hospital A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. PHI had been intentionally provided to the media on three separate occasions. The hacker stole data, attempted to extort money, and leaked the ePHI of 208,557 patients online when payment was not received. The minimum fine is $100 per violation (up to $50,000) for Category 1 violations. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. OCR intervened but received a second complaint a month later when the records had still not been provided. U.S. Department of Health & Human Services HIPAA violation penalties are tiered based on the level of negligence determined by the Department of Health and Human Services or the state attorney general. OCR intervened and closed the case but received a second complaint a month later when the records had still not been provided. Common HIPAA violations include verbal discussions of PHI in public areas of a healthcare facility, stolen laptops used in patient care, accessing PHI when the access is not directly related to or while providing care to a patient and, in this reader's case, placing a patient's healthcare document in the regular trash. The HIPAA Right of Access violation was settled with OCR for $32,150. Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? Read More, The Department of Health and Human Services Office for Civil Rights (OCR) imposed a $1.6 million civil monetary penalty (CMP) on Texas Health and Human Services Commission (TX HHSC) for multiple violations of HIPAA Rules discovered during the investigation of an exposed internal application containing ePHI. Breach News 0:57. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. The nurse sent six text messages, warning the man's girlfriend about the disease. A settlement of $400,000 was agreed upon with OCR to resolve the HIPAA violations. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The disclosed information included details of patients visits, treatment, and insurance. In order to resolve this matter to OCRs satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioners access to its electronic records system; reported the nurse practitioners conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. If an offense is committed under false pretenses, the criminal penalties increase to a maximum . A state health sciences center disclosed protected health information to a complainant's employer without authorization. In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. Issue: Safeguards; Impermissible Uses and Disclosures. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. Providence Health & Services. OCR provided technical assistance but received another complaint from the same patient that the records had still not been provided. Issue: Notice. The man sued the clinic, even though it had already dismissed the nurse from her job. This is the second-largest settlement amount agreed with OCR. Delivered via email so please ensure you enter your email address correctly. Issue: Impermissible Uses and Disclosures. The case was settled for $100,000. OCR discovered risk analysis failures, risk management failures, a failure toconduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. But it's vital. renewals of licenses or APRN authorizations, or both. Now add up that time for a week, a month, or even a year. OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. Nurse Faced with Jail Time for Violating HIPAA Laws Without appropriate HIPAA training, this case of a HIPAA violation demonstrates how critical it is to train workers before there is an issue. Metro Community Provider Network (MCPN) has agreed to pay OCR $400,000 and adopt a robust corrective action plan to resolve all HIPAA compliance issues identified during the OCR investigation. HMORevises Process to Obtain Valid Authorizations Large Medicaid Plan Corrects Vulnerability that Resulted in Dsiclosure to Non-BA Vendors Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. The center also provided OCR with written assurance that all policy changes were brought to the attention of the staff involved in the daughters care and then disseminated to all staff affected by the policy change. Read More, OCR fined Pagosa Springs Medical Center $111,400 for the failure to terminate a former employees access to a web-based scheduling calendar, which resulted in an impermissible disclosure of 557 patients ePHI. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. Covered Entity: Health Care Provider / General Hospital And when data breaches like this occur, it's usually because of a HIPAA violation. A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. A violation due to willful neglect which is corrected within thirty days will attract a fine of between $10,000 and $50,000. . Read more, Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. Fines for "reasonable cause" violations range from $100 to $50,000. OCR intervened and the records were provided 8 months after the initial request. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. Private Practice Implements Safeguards for Waiting Rooms Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from workers compensation carriers before submitting test results to them. Read More, MelroseWakefield Healthcare in Massachusetts received a valid request from a personal representative of a patient on June 12, 2020, but it took until October 20, 2020, for the requested records to be provided due to an error regarding the legality of the durable power of attorney. Covered Entity: Private Practice Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customers PHI. Violations related to HIPAA laws have serious consequences, including job loss and other penalties. Read More, Erie County Medical Center Corporation in Buffalo, NY, failed to provide a patient with timely access to his medical records. Another way to prevent HIPAA violations on social media is to get proper compliance training for your staff. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications In 2016, 12 entities agreed to settle their compliance investigations and pay a financial penalty, with one case seeing civil monetary penalties imposed. 3. For one violation, fines can range from $100-$50,000 for each instance of wrongdoing. OCR investigated and uncovered multiple potential violations of the HIPAA Rules: A risk analysis failure, risk management failure, lack of information system activity reviews, and insufficient technical policies to prevent unauthorized ePHI access. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training.