Covered Entity: Health Plans OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customers PHI. A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. Read More, The Department of Health and Human Services Office for Civil Rights (OCR) has taken action against a Denver, CO-based federally-qualified health center (FQHC) for security management process failures that contributed to the organization experiencing a data breach in 2011. OCR intervened and closed the case but received a second complaint two months later when the records had still not been provided. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices. Read More, The HHS has announced that Lahey Hospital and Medical Center has agreed to settle a case with the Office for Civil Rights over alleged HIPAA violations following a data breach that occurred in October 2011. On September 29, 2011, a portable USB storage device (pen drive) was left overnight in the IT Department from where it was stolen. Read More, In March 2019, OCR received a complaint from a patient who alleged she had not been provided with a copy of her medical records in the requested electronic format despite making repeated requests. Read more, Childrens Hospital & Medical Center (CHMC), a pediatric care provider in Omaha, Nebraska, received a request from a parent for access to her daughters medical records but only provided part of the requested information, despite repeated requests. The four categories range from unknowing violations to willful disregard of HIPAA rules. A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law's boyfriend was diagnosed with an STD. was investigated by OCR in response to a complaint from a patient that she would be charged a fee of $170 for her medical records. in Chicago, Illinois, was investigated in response to a complaint from a patient who had only been provided with a partial copy of her requested medical records. Read More, Lawrence Bell, Jr. D.D.S in Maryland failed to provide a patient with timely access to the requested medical records. OCR settled the case for $5,000. The patient filed a complaint with OCR and the records were eventually provided more than 10 months later. Issue: Access. FileFax agreed to settle the alleged HIPAA violations for $100,000. Concentra has agreed to pay OCR $1,725,220 to resolve the case. The case was settled with OCR for $30,000. In 2013 and 2015, protections on servers were accidentally removed and files containing ePHI could be accessed over the internet without the need for a username or password. In the majority of cases, the agency resolves the complaints without the need for an investigation or finds no HIPAA violation exists. Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Read More, Athens Orthopedic Clinic PA in Georgia had its systems hacked in 2016. Listed below are all the OCR HIPAA violation cases that have resulted in a financial penalty. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. Read More, OCR announced that it has reached a settlement for $125,000 with a Denver-based healthcare provider, Cornell Pharmacy, following the improper disposal of patient health records. The HIPAA Right of Access violation was settled with OCR for $30,000. Read More, For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Read More, Anchorage Community Mental Health Services (ACMHS) runs five mental health facilities in Alaska and is a non-profit organization. The firewall was inactive for a period of 10 months leaving the data exposed and potentially accessible to unauthorized third parties for an unacceptable period of time. Read More, OCR launched an investigation of University of Rochester Medical Center following receipt of two breach reports concerning lost/stolen portable devices containing ePHI a flash drive and a laptop computer. Unprotected storage of private health information can be an issue. HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. Regulatory Changes If an organization fails to take corrective action after having been issued a fine, the HHS Office of Civil Rights can impose subsequent fines. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the systems organized health care arrangement impermissibly accessed the medical records of her ex-husband. U.S. Department of Health & Human Services 200 Independence Avenue, S.W. Read More, Exposure of ePHI as a direct result of the failure to conduct a comprehensive risk analysis and a security assessment on a server prior to using it to share files containing ePHI. OCR attempted to resolve the matter via informal means between November 6, 2015, to August 30, 2016, before issuing a Notice of Proposed Determination on September 30, 2016. Covered Entity: Health Plans / HMOs It took 5 months from the initial request for the complete set of medical records to be provided. Read More, An investigation of five separate breaches at HIPAA-covered entities owned by Fresenius Medical Care North America revealed multiple HIPAA violations had contributed to the breaches. When dealing with these complex issues, you need legal representation that has a long track record of success in these types of cases. Read More, A HIPAA settlement of $218,400 has been reached with St. Elizabeth Medical Center (SEMC) for violations of HIPAA Privacy, Security, and Breach Notification Rules. Read More, Office for Civil Rights has agreed to its largest-ever financial penalty for a violation of the Health Insurance Portability and Accountability Acts Privacy and Security Rules. In addition, the covered entity forwarded the complainant a complete copy of the medical record. Read More, Elite Primary Care is a provider of primary health services in Georgia. The case was settled for $25,000. By Jill McKeon. Failure to report a violation could have serious consequences. The Notice of Enforcement Discretion only applied a cap to each violation tier. OCR settled the case for $20,000. Among other corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records. An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record. Moreover, the entity was required to train of all staff on the revised policy. The containers had labels that included the PHI of patients. The possibility of HIPAA lawsuits brought forth by patients and breach victims could change HIPAA enforcement. The case was settled for $3,500. Covered Entity: Private Practice Case Examples by Covered Entity. Memorial Hermann Health System has agreed to pay OCR $2,400,000. Read More, CHSPSC LLC isa Tennessee-based management companythat provides services to affiliates of Community Health Systems. As of July 2022, there have been 38 HIPAA Right of Access cases under this compliance initiative that resulted in financial penalties. Allergy Associates of Hartford paid OCR $125,000 to settle the alleged HIPAA violations. The case was settled for $2,300,000. Read more, Advanced Spine & Pain Management, a provider of chronic pain-related medical services in Cincinnati and Springboro, OH, failed to provide a patient with timely access to the requested medical records. The HIPAA Right of Access violation was settled with OCR for $32,150. The infection resulted in the impermissible disclosure of the electronic protected health information of 1,670 individuals. OCR determined there had been a failure to protect patient information which resulted in an impermissible disclosure of 2,150 patient records. The case was settled for $62,500. A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patients home phone answering machine, thereby failing to accommodate the patients request that communications of PHI be made only through her mobile or work phones. The OCR investigation revealed a lack of business associate agreements, insufficient access rights, a risk analysis failure, a failure to respond to a security incident, a breach notification failure, media notification failure. Further information on the penalties for HIPAA violations are detailed here. CHCS also failed to implement appropriate security measures to address risks to ePHI in accordance with 45 C.F.R. Educators worry about the confidentiality of all student information, particularly the data relied upon in developing and implementing IEPs and Section 504 plans, often on account of "HIPAA . OCR stepped up enforcement of compliance with the HIPAA Rules in 2016, more than doubling the number of financial penalties. OCR intervened and provided technical assistance on the HIPAA Right of Access but received a second complaint when the practice continued to deny him access. This is the second-largest settlement amount agreed with OCR. A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. OCR conducted an investigation into an incident involving a stolen laptop that contained the ePHI of 20,431 patients. Covered Entity: Private Practice Read More, ACPM Podiatry in Illinois did not provide a former patient with his requested records, and despite the intervention of OCR, the patient was still not provided with the requested records due to the non-payment of a bill by the insurance company. It took 564 days from the initial request for all of the records to be provided to the patient. OCR investigated Peachstate and uncovered multiple potential violations of the HIPAA Security Rule. After OCR notified the entity of the allegation, the entity released the complainants medical records but also billed him $100.00 for a records review fee as well as an administrative fee. Over the past 12 months, the style and severity of threats have continuously evolved. Covered Entity: General Hospital Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source. An organizations willingness to assist with an investigation is also taken into account. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. HHS Issue: Access. If not, the form is invalid and any information released to a third party would be in violation of HIPAA regulations. Improper Disposal HIPAA rules state medical professionals must dispose of PHI in a secure manner. If a nurse violates HIPAA, a patient cannot sue the nurse for a HIPAA violation. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy. Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications Honolulu-based Hawaii Pacific Health fired an employee in March after discovering the employee had inappropriately accessed patient medical records between November 2014 and January 2020.