This list covers five HIPAA violations that cost a lot of money for hospitals, healthcare professionals, and private practices. HIPAA is available to safeguard the patient’s private details. The law carries stringent penalties and risk of devastating civil lawsuits. HIPAA violations frequently come not from malicious intent yet from a poor comprehension of the law itself.
The events below show at least five instances in which healthcare workers violated HIPAA’s law. Violations may involve social media, texting, illegal accessibility of patient files, mishandling of records, or breaches that come up from social situations. Almost all of the HIPAA examples listed could’ve been prevented with the right precautions and training.
Surgeon Given Prison Time for Violating HIPAA Law
Are you losing your job? Inhale a deep breath before acting. Getting revenge may land you in jail, as in this case of a HIPAA violation. It began when a Chinese immigrant and former cardiothoracic surgeon named Huping Zhou was fired from his job. He worked as a UCLA School of Medicine researcher. After the dismissal, Zhou illegally accessed the medical records system at UCLA more than 300 times, seeing the medical records of his co-workers, immediate supervisor, and multiple celebrities. He was sentenced to a $2,000 fine and four months in jail. Names on the medical record list he accessed include Tom Hanks, Leonardo DiCaprio, Drew Barrymore, and Arnold Schwarzenegger. Jail time could have been prevented with the right HIPAA training.
Dermatology Practice Was Penalized for Violations
Employees at a private practice who do not think they will run afoul of the HIPAA law ought to think again. As a matter of fact, private practices are the type of covered entity that is most scrutinized by the OCR (Office of Civil Rights). In one case of HIPAA violation, the dermatology practice misplaced an unencrypted flash drive containing protected medical details. They were fined $150,000 and had to install a corrective action plan. This could have been prevented with the right HIPAA training.
Violation Case from Sending Bills Over to Collections
Sending patient bills to collections agencies might be a HIPAA law violation. That is painfully illustrated in a HIPAA example regarding Dr. Barry Helfmann, a staunch patient privacy advocate and American Group Psychotherapy Association’s president-elect. According to case files, his employees routinely forwarded past due bills to collections agencies. The issue? The patient bills included protected information such as CPT codes, which may reveal diagnoses. In turn, New Jersey sought to revoke and suspend the doctor’s license. When sending patient bills to collections agencies, it is critical to omit all medical data from patients. This mistake could have been prevented with the right HIPAA training.
Hospital Employee Charged with Violation
Here is a rare example of criminal charges that were brought against a person for an alleged violation of HIPAA laws. Joshua Hippler, a hospital employee in Texas, in 2014, received an 18-month jail term for wrongful disclosure of confidential patient medical details. In Georgia, Hippler was placed under arrest and found in the possession of the medical records. Although the filing did not mention how many records he was in possession of, Hippler was charged with wrongful disclosure of confidential medical details for personal gain. Individual charges such as this are not common because the majority of HIPAA violations are not intentional. With that being said, the case ought to serve as a warning that people are not immune to prosecution. This could have been prevented with the right HIPAA training.
Case Against a Pharmacist of Walgreens Leads to $1.4M HIPAA Award
A pharmacist at Walgreens, in 2014, violated the HIPAA act as she shared confidential medical information regarding a customer who, at one time, dated her spouse. Neal F. Eggeson Jr., the customer’s attorney, claimed the case sets an example, as it proves businesses now can be held liable for their employees’ actions. Medical data breaches could be prevented with the right HIPAA training.
Liked those examples? Let’s not stop here! Below we give a bonus of seven more examples. Check ‘em out!
Respiratory Therapist Receives Criminal HIPAA Conviction
For an additional example of how critical HIPAA training is for staff members, we do not need to look much further than the case of a violation by Jamie Knapp, a respiratory therapist. Knapp, an Ohio-based ProMedica Bay Park Hospital employee, accessed 596 healthcare records in a time period of 10 months. He was given authority to look at records as part of her job description, yet only for those she was treating. Allegedly, Knapp looked at files for unrelated patients. Jail time could be prevented with the right HIPAA training.
Nurse Outs Patient with an STD to Man’s Girlfriend, He Sues
A New York clinic nurse discovered herself in the middle of an HIPAA violation when her sister-in-law’s boyfriend got diagnosed with a sexually transmitted disease. The nurse sent out six text messages that warned the man’s girlfriend of the disease. The man sued the medical clinic, though the clinical had already fired the nurse. The judge dismissed the claim due to the nurse’s actions being both based on personal reasons and unforeseeable. The plaintiff appealed the decision. It’s one example of a HIPAA suit that seems unavoidable, with the caveat that the medical clinic could’ve prevented the nurse from treating a personal acquaintance. This could have been prevented with the right HIPAA training.
Nurse Faced with Jail Time for Violating HIPAA Laws
Without appropriate HIPAA training, this case of a HIPAA violation demonstrates how critical it is to train workers before there is an issue. An employee at a mid-size clinic was involved in a suit when an auto collision victim sued her spouse. Once the plaintiff became a patient at that clinic, the worker looked at the patient’s file and gave confidential information to her spouse. The spouse contacted the plaintiff and requested that the suit be dropped. The plaintiff rapidly contacted the clinic and the office of the Attorney General to complain. The worker faced up to ten years in prison and a $250,000 fine if convicted.
The head doctor at the clinic dismissed the staff member and instantly demanded a team meeting on HIPAA’s importance. The doctor did the right thing, yet even better might be consistent staff training, as well as a system for flagging possible personal conflicts between patients and employees.
File Conversion Leads to Case with HIPAA
Within some instances a HIPAA case may come from nowhere and preventing it might require a lot of creative thinking from a clinic’s workers. For instance, in the year 2016 an orthopedic clinic employed an outside vendor to convert every x-ray film on file to a digital format, and harvest the silver from the x-ray films. That is a brilliant service, yet since the clinic did not initially sign a BAA with the vendor, it created a HIPAA violation. The OCR ordered that the clinic pay $750,000 and start a Corrective Action Plan. This fine could have been prevented with the right HIPAA training.
Private Practice Starts Safeguards for the Waiting Room
Is it possible for a waiting room to cause a violation with HIPAA? Without the appropriate HIPAA training, no one would know. It occurred in this example when an employee spoke to a patient about HIV testing procedures, therefore disclosing PHI (Protected Health Information) to other people inside the waiting room. Also, the waiting room’s setup enables people to see Protected Health Information shown on staff member’s computer screens. After the OCR investigation, team members had to take routine HIPAA training, and the computers were placed into a different position.
Wrong Number Leads to HIPAA Violation
Everyone makes mistakes, but in the HIPAA world, when there isn’t enough HIPAA training, one slip may crash a whole practice. In the year 2013, a patient who was HIV positive asked the office manager to fax his medical paperwork to the new urologist. Instead, the busy manager faxed them by accident to the new employer. It was a simplistic case of number-mix-up, yet despite sincere apologies from the urologist and the manager, the patient was not mollified. The patient reported the situation, and the practice was placed under investigation by the OCR. Thankfully, the outcome was a firmly worded warning and a mandate put into place for routine HIPAA training for every employee.
Workers Who Did Not Receive HIPAA Training Were Fired for HIPAA Breach
One great method of preventing malicious snooping, violating HIPAA includes putting a system into place that catches it. A clinic in Virginia caught 14 workers who’d wrongfully looked out the medical documents of a high-profile patient without an appropriate medical need. The Virginia clinic caught the workers because of a logging system in their information technology backend. The system records and tracks all accessibility to files that contain PHI. The workers were fired from their jobs. While that is admirable, a better option may have been to inform workers ahead of time that the logging system was there, thereby stopping firings and violations before they start. A firing can be avoided by getting the right HIPAA training.
HIPAA can be a minefield of possible violations that almost any employee or doctor may run afoul of in a normal course of work. Some violations boil down to nosy behavior, personal gain, or greed. There are an abundance of examples in which a temporary lapse of concentration will lead to an expensive mistake. This is the reason why training is so important.