In response to OCRs investigation, the mental health center acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental health evaluation. HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. 7 Tips to Avoid a HIPAA Violation As a Nurse - ULM Online CardioNet is a Pennsylvania-based provider of remote mobile monitoring and rapid response services to patients at risk for cardiac arrhythmias. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the records had still not been provided. Read more, OCR investigated a breach reported by the Department of Veteran Affairs involving a business associate, Authentidate Holding Corporation. MAPFRE has agreed to a $2,200,000 settlement with OCR. St. Lukes-Roosevelt Hospital Center Inc. has paid OCR $387,200 to resolve potential HIPAA violations discovered during an OCR investigation of a complaint about an impermissible disclosure of PHI. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. The case was settled for $1,000,000. . Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? 13 hospital workers fired for snooping in Britney Spears' medical Read More, The Department of Health and Human Services Office for Civil Rights announced yesterday that the University of Mississippi Medical Center (UMMC) has agreed to settle alleged HIPAA violations and will pay a financial penalty of $2.75 million. In April, nurses on the night shift at Denver Health Medical Center were caught making inappropriate comments about a male patient's genitalia, according to a report from the Colorado Department. The following three years saw similar numbers of financial penalties; however, there was another major increase in HIPAA fines in 2020 when 19 HIPAA violation cases were settled with OCR. Read More, Southwest Surgical Associates in Texas took 13 months to provide a patient with all of the requested records between February 11, 2020, and March 5, 2021. Issue: Safeguards. > Case Examples Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. OCR discovered risk analysis failures, risk management failures, a failure toconduct technical and non-technical evaluations following environmental or operational changes, and the disclosure of ePHI to a contractor without first entering into a business associate agreement. A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation. Disciplinary Actions and Reinstatements - California During the investigation, OCR discovered the business associate had acquired Peachstate, a CLIA-certified laboratory that provides clinical and genetic testing services. OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The case was settled for $10,000. OCR investigated and found the EHR company had been allowed access to ePHI without signing a business associate agreement and risk analysis and risk management failures. HIPAA Violation Case Settled Between Ambulance Company & OCR for $65,000. Social Media HIPAA Violations by Nurses - Law Office of Nicole Irmer The penalties for a HIPAA violation are determined by the CE; HIPAA itself does not explicitly state what types of HIPAA violations will and will not result in the loss of a job. OCR intervened and closed the case but received a second complaint 6 months after the first stating the records had still not been provided. Memphis Commercial Appeal. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. Criminal violations of HIPAA Rules are dealt with by the U.S. Department of Justice. OCR received two complaints from patients in 2019 alleging they had to wait several months to receive a copy of their medical records. Read More, Associated Retina Specialists in New York took 5 months to provide a patient with the requested medical records. Issue: Impermissible Disclosure. Read More, Aetna Life Insurance Company and the affiliated covered entity (Aetna) were investigated over three data breaches that exposed the ePHI of 18,489 individuals. If an organization fails to take corrective action after having been issued a fine, the HHS Office of Civil Rights can impose subsequent fines. Read More, OCR investigated a complaint about an impermissible disclosure of a patients PHI to a reporter. The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance. An Accusation is a legal document formally charging a registered nurse with a violation (s) of the Nursing Practice Act, and notifying the public that a disciplinary action is pending against that nurse. Concentra has agreed to pay OCR $1,725,220 to resolve the case. The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research. Memphis healthcare workers charged with HIPPA violations Read More, Lifespan Health System Affiliated Covered Entity is a Rhode Island healthcare provider. Read more, San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patients medical records to a patient-specified third party for more than 2 months. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. Mental Health Center Provides Access after Denial The case was settled for $62,500. Read More. It took 8 months from the date of the first request for the records to be provided. A physician practice requested that patients sign an agreement entitled Consent and Mutual Agreement to Maintain Privacy. The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physicians compliance with the Privacy Rule. Department of Justice is the authority that handles all the breach fines and charges for violating HIPAA regulations. An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. OCR settled the case for $3,500. The case was settled for $65,000. Documentation was uncovered that clearly showed that mobile devices were believed to represent a critical security risk, yet action was not taken to address this issue in time to prevent the data breach. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Failure to report a violation could have serious consequences. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 - $50,000. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. The investigation confirmed there had been a HIPAA Right of Access failure. Disciplinary action taken by the Massachusetts Board of Registration in Read More, The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. Read More, Wise Psychiatry is a small provider of psychiatric services in Colorado. Read More, Mountlake Terrace, WA-based Premera Blue Cross is the largest health plan in the Pacific Northwest. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. What happens if a nurse violates HIPAA? - HIPAA Guide A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. > HIPAA Home Resolution Agreements. Violating HIPAA law can result in fines, job termination, loss of licensure, and criminal charges. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. A New York City Hospital Is Investigating a Nurse for Sharing Video Footage With The Intercept Lillian Udell is being investigated for violating privacy laws after sharing video of nurses. OCR settled the case for $50,000. This was the case in 2019, when a number of healthcare professionals accessed a particular actor's medical records after the actor was part of a potential hoax hate-crime, which became headline news. Read More, The solo dental practitioner in Butler, PA, failed to provide a patient with a copy of their medical record in a timely manner. OCR settled the case for $22,500. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. It took multiple requests and almost 5 months for all of the requested medical records to be provided. One addressed the issue of minimum necessary information in telephone message content. OCR determined its compliance program had been in disarray for several years. Patient Sues Clinician for Privacy Violation After Practice Responds to It took 5 months from the initial request for the complete set of medical records to be provided. A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000. If an offense is committed under false pretenses, the criminal penalties increase to a maximum . There are two key events to consider when looking at the timeline of penalties for HIPAA violations the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault. November 30, 2021 - New York-based Huntington Hospital began notifying 13,000 patients of a data breach that exposed protected health information (PHI) and resulted in a former . All rights reserved. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. Read More, The Department of Health and Human Services Office for Civil Rights has announced that Childrens Medical Center of Dallas has paid a civil monetary penalty of $3.2 million to resolve multiple HIPAA violations spanning several years. An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patients home telephone number, despite the patients instructions to contact her through her work number. Staff Nurse Faces Jail Time for HIPAA Violations A nurse at a Texas children's hospital has been fired for violating Health Insurance Portability and Accountability Act (HIPAA) Rules by posting protected health information on a social media website. It took 564 days from the initial request for all of the records to be provided to the patient. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. During OCRs investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance.