The list below shares 20 real-world HIPAA violations that cost big money for private practices, hospitals, and healthcare professionals. HIPAA exists to protect a patient’s private information. The law carries strict penalties and a risk of devastating civil suits. Frequently, HIPAA violations stem not from malicious intent but from a poor understanding of the law itself.
The examples below show 20 cases where healthcare employees violated the HIPAA law. Violations can involve texting, social media, mishandling of records, illegal access of patient files, or breaches that arise from social situations. Nearly all of the HIPAA case examples below could have been prevented with adequate training and precautions, and starting in 2019 the next series of HIPAA audits are going to be more strict.
1. Surgeon Sentenced to Prison for HIPAA Violation
Losing your job? Take a deep breath before you act. Getting revenge might just land you in jail, as in this HIPAA violation case. It started when a former cardiothoracic surgeon and Chinese immigrant named Huping Zhou got fired from his job. Zhou worked as a researcher at the UCLA School of Medicine. After his dismissal, he illegally accessed the UCLA medical records system over 300 times, viewing the health records of his immediate supervisor, his co-workers, and several celebrities. Zhou was sentenced to four months in jail and a $2,000 fine. Names on the list of medical records he accessed includes Arnold Schwarzenegger, Drew Barrymore, Leonardo DiCaprio, and Tom Hanks.
2. Dermatology Practice Penalized for HIPAA Violations
Private practice employees who don’t think they’ll run afoul of the HIPAA law should think again. In fact, private practices are the kind of covered entity most scrutinized by the Office of Civil Rights (OCR). In one HIPAA violation case, a dermatology practice lost an unencrypted flash drive that contained protected health information. The group was fined $150,000 and was required to install a corrective action plan.
3. HIPAA Violation Case from Submitting Bills to Collections
Sending actual patient bills to collections firms can violate the HIPAA law. That’s illustrated painfully in a HIPAA case example concerning staunch patient privacy advocate Dr. Barry Helfmann, president-elect of the American Group Psychotherapy Association. According to case files, Dr. Helfmann’s employees regularly forwarded past due patient bills to a collections firm. The problem? The bills contained protected info like CPT codes, which can reveal patient diagnoses. As a result, the State of New Jersey sought to suspend and revoke Helfmann’s license. When submitting patient bills to collections firms, it’s vital to omit all patient medical data.
4. Former Hospital Worker Charged with HIPAA Violation
Here’s a rare example of criminal charges brought against an individual for an alleged HIPAA violation. In 2014, Texas hospital employee Joshua Hippler got an 18-month jail term for wrongful disclosure of private patient medical information. Hippler was arrested in Georgia and found to be in possession of medical records. Though the filing didn’t say how many records he had, he was charged with wrongful disclosure of private health information for personal gain. Individual charges like this aren’t common because most violations of HIPAA aren’t intentional. That said, this case should serve as a warning that lone individuals aren’t immune to prosecution.
5. Case Against Walgreen Pharmacist Leads to $1.4 Million HIPAA Award
In 2014, a Walgreen Co. pharmacist violated the HIPAA act when she shared confidential medical info about a customer who once dated her husband. The customer’s lawyer, Neal F. Eggeson Jr., said the case sets an example, since it proves businesses can now be held liable for the actions of their employees.
Via: Wikimedia Commons
6. Criminal HIPAA Conviction for Respiratory Therapist
For another example of how important HIPAA training is for employees, we don’t have to look any further than this case of a violation by respiratory therapist Jamie Knapp. Knapp, an employee of ProMedica Bay Park Hospital in Ohio, accessed 596 medical records in a 10-month period. Knapp was authorized to view records as part of her job, but only for the patients she was treating. Allegedly, she viewed files for unrelated patients. Sentencing is set for October and Knapp could face up to a year in jail if convicted. That’s a long shot though, since the prosecutor will have to prove she broke the law on purpose.
7. Nurse Outs STD Patient to Man’s Girlfriend, Man Sues
A nurse in a New York clinic found herself at the center of an ugly HIPAA violation case when her sister-in-law’s boyfriend was diagnosed with an STD. The nurse sent six text messages, warning the man’s girlfriend about the disease. The man sued the clinic, even though it had already dismissed the nurse from her job. The trial court judge dismissed the claim on the grounds that the nurse’s actions were both unforeseeable and based in personal reasons. The plaintiff has appealed the decision. This is one HIPAA lawsuit example that seems unavoidable, with the caveat that the clinic could have prevented the nurse from treating a close personal acquaintance.
8. Nurse Faces Jail Time for HIPAA Violations
This HIPAA violation case example shows how important it is to train staff before there’s a problem. An employee at a midsize clinic was peripherally involved in a lawsuit when a car accident victim sued her husband. When the plaintiff became a patient at the clinic, the employee peeked at the patient’s file and gave private info to her husband. The husband called the plaintiff and demanded that the lawsuit be dropped. The plaintiff quickly called the clinic and the Attorney General’s office to complain. The employee faces a $250,000 fine and up to 10 years in prison if convicted.
The clinic’s head doctor fired the employee and immediately called a staff meeting on the importance of HIPAA. He did the right thing, but even better would be regular staff trainings and a system for flagging potential personal conflicts between employees and patients.
9. File Conversion Leads to HIPAA Case
In some cases a HIPAA case can come apparently from nowhere, and preventing it would require a great deal of creative thinking from a clinic’s employees. For example, in 2016 an orthopedic clinic hired an outside vendor to convert all X-Ray films on file to digital form, then harvest the silver from the films. That’s an ingenious service, but since the clinic didn’t first sign a BAA with the vendor, they violated HIPAA. The OCR ordered the clinic to pay $750,000 and implement a Corrective Action Plan.
Here’s another great service for medical clinics: MedPro Disposal offers low-cost, secure medical waste disposal with predictable service and predictable cost. Check out their nifty private practice savings calculator here to see how much you could save vs your current vendor.
10. Private Practice Implements Safeguards for Waiting Rooms
Can a waiting room cause a HIPAA violation? It happened in this example when a staff member talked with a patient about procedures for HIV testing, thereby disclosing Protected Health Information (PHI) to others in the waiting room. The waiting room’s setup also allowed patients to see PHI displayed on employee computer screens. After an OCR investigation, staff were required to take regular HIPAA trainings, and computer monitors were repositioned.
11. Wrong Number Causes HIPAA Violation
We all make mistakes, but in the world of HIPAA, a single slip can crash an entire practice. In 2013, an HIV-positive patient asked an office manager to fax his medical records to his new urologist. Instead, the very busy office manager accidentally faxed them to his new employer. It was a simple case of number-mixup, but despite heartfelt apologies from the manager and the urologist, the patient wasn’t mollified. He reported the incident and the practice was investigated by the OCR. Luckily, the result was a sternly worded warning and a mandate for regular HIPAA training for all employees.
Mistakes are human. The only way to eliminate them is to mistake-proof the process itself, the way a safety switch in a microwave oven prevents the machine from running while the door is open. For inspiration in your search for HIPAA excellence, look into the concept of mistake-proofing or “Poka Yoke” in the manufacturing world.
12. Employees Fired for HIPAA Breach
One excellent way to prevent malicious snooping that violates HIPAA is to put a system in place to catch it. A Virginia clinic caught 14 employees who had improperly viewed the medical files of a high-profile patient without a legitimate medical need. The clinic caught the employees thanks to a logging system in their IT backend. The system tracks and records all access to files containing PHI. The 14 employees were dismissed from their jobs. While that’s admirable, a better solution might be to inform employees beforehand that the logging system exists, thus stopping violations and firings before they begin.
13. Talk to Yourself? Watch Out for HIPAA
You wouldn’t think an offhand comment made in the back end of a clinic could cause a HIPAA violation, but that’s exactly what happened in this case. In 2015, an employee at the University of Iowa’s Student Health Center expressed her surprise about the results of a high-profile student athlete’s pregnancy test. Despite years of HIPAA compliance training, the employee made a seemingly innocent comment about hoping the young couple was happy. She said she’d been talking to herself, but the incident was overheard and reported by other employees, and the employee in question was fired.
14. Sales Executive Gets $10K HIPAA Fine
A sales exec for Warner Chilcott (now Actavis) was fined $10,000 for a HIPAA violation in late 2016 and very nearly lost his job. The exec habitually filled out prior authorization forms for patients, sometimes putting drug brochures directly into patient charts as a sales tactic. The $10,000 fine may seem like a slap on the wrist, but also on the table was excluding the sales exec from federal Medicare, which would have put an end to his career in pharma sales.
15. Doctors and Employees Fired in Britney Spears HIPAA Case
Sometimes the temptation to peek is just too great. That was the case in an example where six doctors and 13 employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization. Many of the employees were non-medical support staff and none of them had a legitimate medical need to view the PHI. HIPAA violations of this nature could be all but eliminated by following an IT concept called the Principle of Least Privilege. The principle stresses allowing access to data only to those employees who need it to do their jobs.
16. $2.5 Million Settlement in Stolen Laptop HIPAA Case
A cardiac monitoring vendor got into HIPAA hot water when a laptop containing hundreds of patient medical records was stolen from a parked car. The OCR reached a $2.5 million settlement with the vendor, demonstrating that the federal government is extremely aggressive in prosecuting HIPAA cases involving third parties and portable digital media.
17. Healthcare Worker Terminated in HIPAA Breach
A healthcare worker at a Washington State medical center was fired in 2017 for improperly accessing over 600 confidential patient health records. The medical center discovered the breach during a routine audit. The employee viewed information like addresses, phone numbers, diagnoses, and the social security numbers of patients.
18. Facebook HIPAA Violation
In 2017, a HIPAA violation resulted in the firing of a medical employee after she posted about a patient on Facebook. The 24 year old med tech commented on a post about a patient killed in a car crash, using the words, “Should have worn her seatbelt…” While the comment itself seems innocent and even public-minded, it disclosed PHI about the patient. The employee later told reporters she was fired for a HIPAA violation, though the hospital declined to comment.
19. Reality TV and HIPAA
In 2013, an ABC reality TV show called NY Med filmed two hospital patients without their consent. During filming, one of the patients actually died. The OCR investigated and found that the hospital gave ABC unfettered access, creating a situation where the protection of PHI wasn’t possible. The hospital paid a $2.2 million settlement and instituted a Corrective Action Plan.
20. Cloud-Based HIPAA Trouble
In 2016, a cardiology group with five physicians on staff paid a $100,000 HIPAA settlement involving an online calendar. By posting surgical and clinical appointments on a public, internet-accessed calendar, the clinic was found in violation of HIPAA. The cloud offers an ever-evolving selection of efficiency-improving tools, but along with those new efficiencies come emerging privacy pitfalls.
HIPAA is a minefield of potential violations that almost any doctor or employee can run afoul of in the normal course of work. While some violations come down to greed, personal gain, or nosy behavior, there are plenty of examples where a momentary lapse of concentration can lead to a costly mistake. Writing the wrong phone number on a form or expressing surprise aloud can jeopardize an entire practice. HIPAA training is crucial, but deeper than training, fixing a system that punishes honest human mistakes is a vital next step.
Interested in protecting your business from excess risk? Complete your 2018 Risk Analysis as required by SECTION 164 308(A)(1)(II)(A) of the HIPAA Security Rule. Upon completion, you’ll receive a Risk Score, 23 – page Risk Report and your results will only be shared with your practice. Improper medical waste disposal can open a practice up to a whole host of pitfalls. MedPro Waste Disposal offers peace of mind against needle sticks and incidents, reduced risk (via compliance training), and predictable service with predictable prices. See here for details about the MedPro experience.
© MedPro Waste Disposal, LLC, 2018. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to the author and MedPro Waste Disposal, LLC with appropriate and specific direction to the original content.