Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. The OCR investigation determined 577 patients had been affected, but Sentara Hospitals refused to update its breach notice to reflect the correct number of patients affected. The HHS` Office of Civil Rights receives between 1,200 and 1,500 complaints and notifications of breaches per year. Clinic Sanctions Supervisor for Accessing Employee Medical Record In addition, the covered entity forwarded the complainant a complete copy of the medical record. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. Issue: Impermissible Uses and Disclosures; Safeguards. The last update to the HIPAA violation penalty amounts applies to cases assessed on or after March 17, 2022, as detailed in the table below: *Table last updated in March 2022. Not necessary. In more servers cases, or where multiple violations have occurred, the nurse may lose their job. A contested hearing took place, and the board found the nurse: A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. Some cases also can result in imprisonment up to one year for a standard violation and imprisonment for up to five years for a violation committed under false pretenses. Issue: Access, Authorization. Maybe PHI was in the background unknowingly. Five former Methodist employees have been indicted on charges . Read more, Denver Retina Center, a Denver, CO-based provider of ophthalmological services, failed to provide a patient with timely access to the requested medical records. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. Read More, Elite Primary Care is a provider of primary health services in Georgia. The impermissible disclosures of PHI resulted in a $10,000 settlement. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. OCR received a complaint from a patient alleging BILHBS had not provided a copy of her fathers medical records. Radiologist Revises Process for Workers Compensation Disclosures Between October 23, 2009, and March 7, 2010 part of its database of policyholders was accessible to unauthorized individuals. The case was settled for $3 million. The above penalties were implemented as demanded by the HITECH Act of 2009 and increase annually in line with inflation. November 16, 2022. U.S. Department of Health & Human Services Covered Entity: Health Plans / HMOs The case was settled for $65,000. Large Medicaid Plan Corrects Vulnerability that Resulted in Dsiclosure to Non-BA Vendors Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. Issue: Impermissible Disclosure-Research. Pharmacy Chain Revises Process for Disclosures to Law Enforcement Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. Moreover, the entity was required to train of all staff on the revised policy. A violation of HIPAA attributable to ignorance can attract a fine of $100 - $50,000. CHMC settled the HIPAA Right of Access case with OCR and paid an $80,000 penalty. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. A violation that occurred despite reasonable vigilance can attract a fine of $1,000 $50,000. Washington, D.C. 20201 Toll Free Call Center: 1-800-368-1019 Private Practice Provides Access to All Records, Regardless of Source OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. The Phoenix, Arizona-based non-profit health system, Banner Health, experienced a hacking incident that resulted in the impermissible disclosure of the PHI of 2.81 million individuals in 2016. In case you aren't sure what I mean regarding judgment and professional boundaries: Nurses need to avoid the appearance of impropriety. A covered entitys obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patients silence. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals. ACMHS has agreed to settle the case with OCR for $150,000. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. OCR determined there had been a risk analysis failure, access control failure, information system activity monitoring failure, and an impermissible disclosure of 6,617 patients ePHI. The containers had labels that included the PHI of patients. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. Read More, OCR launched an investigation into the Carroll County, GA ambulance company, West Georgia Ambulance, after being notified about the loss of an unencrypted laptop computer that contained the PHI of 500 patients. Issue: Conditioning Compliance with the Privacy Rule. Nurses who deliberately obtain or disclose individually identifiable protected health information can face a fine of up to $50,000 and a maximum of 12 months in jail. U.S. Department of Health & Human Services 200 Independence Avenue, S.W. Read More, Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. Read More, The University of Washington Medicine has agreed to settle with the Department of Health and Human Services Office for Civil Rights and will pay a HIPAA fine of $750,000 for potential HIPAA violations stemming from a 90,000-record data breach suffered in 2013. The Department of Health and Human Services' Office for Civil Rights (OCR) has revealed a $65,000 HIPAA violation settlement has been agreed with West Georgia Ambulance, Inc., to address multiple breaches of Health Insurance Portability and Accountability Act Rules. Cancel Any Time. Providence Health & Services. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board. Read More, The Department of Health and Human Services Office for Civil Rights has announced it has settled potential HIPAA violations with Feinstein Institute for Medical Research for $3.9 million. Issue: Impermissible Uses and Disclosures; Authorizations. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. OCR settled the case for $30,000. The maximum financial penalty, for willful neglect of the HIPAA Rules, is $1.5 million, per violation category, per year. The diagnostic laboratory settled the case with OCR and paid a $16,500 financial penalty. The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement. Gossip is a casual conversation about other people which can be positive, neutral, or negative. Over the past 12 months, the style and severity of threats have continuously evolved. A was charged with violating the Health Insurance Portability and Accountability Act (HIPAA) and with "conspiracy to wrongfully disclose individual health information for personal gain with maliciously harmful intent in a personal dispute." Her husband was charged with witness tampering. Private Practice Revises Process to Provide Access to Records Regardless of Payment Source The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual. Read More, A patient submitted a complaint to OCR about an impermissible disclosure of PHI in a mailing. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Read more, San Diego-based Sharp Healthcare, dba Sharp Rees-Stealy Medical Centers, failed to provide a patients medical records to a patient-specified third party for more than 2 months. Read More, QCA Health Plan, Inc. of Arkansas reported the theft of a laptop from a car that contained unencrypted data on 148 patients. Covered Entity: Private Practices On Tuesday, the Department of Justice said Jeffrey Parker of Rincon . OCR provided technical assistance and closed the case, but the records were still not provided. The case was settled for $10,000. Read More, King MD is a small provider of psychiatric services in Virginia. Covered Entity: Health Care Provider 6) Keep Thoughts to Yourself. Reports can be filed either through internal channels or electronically through the Department of Health and Human Services. OCRs investigation revealed periodic technical and non-technical evaluations of operational changes affecting the security of their electronic PHI had not been performed, procedures had not been implemented to verify the identity of individuals accessing their ePHI, there was a lack of ePHI safeguards, and Aetna had violated the minimum necessary standard. Back to Top Enforcement Highlights and Numbers at a Glance Current Enforcement Highlights Enforcement Highlights Archived by Month Issue: Impermissible Uses and Disclosures. Case Examples by Issue. The PHI of 58,106 patients was improperly disposed of during that timeframe. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records.