Issue: Impermissible Uses and Disclosures. Data were accessed by unknown third parties after ePHI data was unwittingly transferred to a server accessible to the public. Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. There are four tiers of HIPAA violation penalties for nurses, ranging from unknowing violations to willful neglect of HIPAA Rules. Delivered via email so please ensure you enter your email address correctly. A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. Read More, Oklahoma State University Center for Health Sciences experienced a hacking incident that was reported to OCR in January 2018. OCR investigated the breach and discovered multiple violations of the HIPAA Privacy and Security Rules. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications There are two key events to consider when looking at the timeline of penalties for HIPAA violations the passage of the HITECH Act in 2009 which reversed the burden of proof for HIPAA violations, and the HIPAA Omnibus Rule in 2013 which enacted the passage of the HITECH Act making business associates liable for HIPAA violations that were their fault. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. OCR also identified issues with the notice of privacy practices and a HIPAA privacy officer had not been appointed. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures. Question: Dear Nancy, Can an RN lose his or her nursing license over a HIPAA violation? Employees also were trained to review registration information for patient contact directives regarding leaving messages. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patients record, together with the disclosed information. Shaila Mae. Big Consequences for Nurses Violating HIPAA - Lamar - Online Programs Covered Entity: Private Practice To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. In addition, OCR determined there had been risk analysis failures, a risk management failure, and a lack of device media controls. The chain acknowledged that log books contained protected health information and implemented the required changes. OCR determined that there had been an impermissible disclosure of 34,883 patients ePHI due to a lack of encryption. Covered Entity: Private Practice OCR Imposes a $2.15 Million Civil Money Penalty against Jackson Health System for HIPAA Violations - October 23, 2019 Dental Practice Pays $10,000 to Settle Social Media Disclosures of Patients' Protected Health Information - October 2, 2019 OCR Settles First Case in HIPAA Right of Access Initiative - September 9, 2019 The Board can report disciplinary actions to other agencies that oversee nursing licenses. Issue: Minimum Necessary; Confidential Communications. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology. One of the most common HIPAA violations is a result of lost company devices. HHS The acknowledgement form is now included in the intake package of forms. Read more, The California-based psychiatric medical services provider failed to provide a patient with timely access to the requested medical records and charged an unreasonable fee when the records were eventually provided. Talking about a patient in a public area where others can hear you is a HIPAA violation. The records were provided within days of OCR intervening. Not necessary. There are four different HIPAA violation classifications which rank the level of an organizations willful neglect, and four penalty tiers depending on factors such as the length of time a violation was allowed to continue after being discovered, the number of people affected by the violation, and the nature of data exposed. Read More, Massachusetts General Hospital was fined for allowing an ABC film crew to record footage of patients as part of the Boston Med TV series, without first obtaining consent from patients. OCR investigated the incident and discovered risk analysis and risk management failures, insufficient information system activity logging and monitoring, missing business associate agreements, and employees had not been provided with HIPAA Privacy Rule training. OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. (PDF) HIPAA violations among nursing students: Teachable - ResearchGate Read More, Following the report of the theft of a laptop from the Springfield Missouri Physical Therapy Center, Concentra Health Services was subjected to an investigation by the OCR. A violation due to willful neglect which is not corrected within thirty days will attract the maximum fine of $50,000. the practice settled the case with OCR for $80,000. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. Read More, Catholic Health Care Services of the Archdiocese of Philadelphia has agreed to settle alleged HIPAA violations with the OCR and implement a Corrective Action Plan (CAP). Inappropriate Social Media Posts by Nursing Home Workers, Detailed Read More, Paradise Family Dental was investigated in response to a complaint that a parent had not been provided with a copy of her minor childs medical records, despite submitting multiple requests to the practice. HIPAA violations don't just occur when a nurse posts something of their own accord. As HIPAA violations are so severe, and may result in huge fines for Covered Entities, if . Covered Entity: Outpatient Facility Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. MIE also settled a multi-state action with state attorneys general and paid a penalty of $900,000. OCR investigated and found multiple violations of the HIPAA Rules including a delayed response to a known security breach, risk analysis and risk management failures, and a lack of procedures to monitor information system activity logs. It took 8 months from the date of the first request for the records to be provided. The doctor was retiring and received a delivery of 71 boxes of medical files containing up to 8,000 patient records; however, the delivery was made, and the boxes were left on the doctors driveway while he was out of the house. Read more, The dental practice with offices in Charlotte and Monroe, NC, impermissibly disclosed a patients PHI on a webpage in response to a negative online review. The revised policy was implemented in the chains' stores nationwide. TTD Number: 1-800-537-7697, Content created by Office for Civil Rights (OCR), U.S. Department of Health & Human Services, has sub items, about Compliance & Enforcement, has sub items, about Covered Entities & Business Associates, Other Administrative Simplification Rules. The HIPAA Right of Access violation was settled with OCR for $10,000. A patients rights under the Privacy Rule are not contingent on the patients agreement with a covered entity. Issue: Impermissible Uses and Disclosures; Safeguards. Read More, Parkview Healthcare System has agreed to pay an $800,000 settlement for a violation of the HIPAA Privacy Rule. In fact, even a competent healthcare facility will experience minor HIPAA violation cases at some point. A number of patients were filmed, but consent had not been obtained. Therefore you should assess employees security awareness as part of a risk analysis to see if more training is required. Read More, ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. A Nurse's Guide to the Use of Social Media discusses the case of a hospice nurse whose cancer patient had posted about her depression. Advocate Health Care Network will pay a record $5.55 million to settle multiple potential violations of the Health Insurance Portability and Accountability Act. The nurse received the board notice for a hearing and the allegations against her, which involved breaching her duty to protect the patients' confidentiality and privacy rights in violation of the state's nurse practice act and administrative rules. The incident for which the fine has been issued dates back to 2009 when a data security complaint was filed by a patient of one of its doctors. The four categories range from unknowing violations to willful disregard of HIPAA rules. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. The case was settled for $15,000. Operating as Agape Health Services, the company experienced a breach of the ePHI of 1,263 patients. Covered Entity: General Hospital Among other corrective actions to resolve the specific issues in the case, OCR required the outpatient facility to: revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retrain its entire staff on the new policies and procedures; log the disclosure of the patient's PHI for accounting purposes; and send the patient a letter apologizing for the impermissible disclosure.