HIPAA Violation Cases are Pervasive
An article by MedPro highlights 20 real-world HIPAA violations that cost big money for the private practices involved. HIPAA exists to protect a patient’s private information. The law carries strict penalties and the risk of devastating civil suits. Frequently, HIPAA violations stem, not from malicious intent, but from a poor understanding of the law itself. Nearly all of the HIPAA case examples cited below could have been prevented with adequate training and precautions:
HIPAA Violation Case from Submitting Bills to Collections
Sending actual patient bills to collections firms can violate the HIPAA law. This is illustrated in a case in which medical employees regularly forwarded past due patient bills to a collections firm. The problem? The bills contained protected info like CPT codes, which can reveal patient diagnoses. As a result, the State of New Jersey sought to suspend and revoke the physician’s license. When submitting patient bills to collections firms, it’s vital to omit all patient medical data.
Nurse Faces Jail Time for HIPAA Violations
This HIPAA violation case example shows how important it is to train staff before there’s a problem. An employee at a clinic was peripherally involved in a lawsuit when a car accident victim sued her husband. When the plaintiff became a patient at the clinic, the employee peeked at the patient’s file and gave private info to her husband. The husband called the plaintiff and demanded that the lawsuit be dropped. The plaintiff quickly called the clinic and the Attorney General’s office to complain. The employee faces a $250,000 fine and up to 10 years in prison if convicted. The clinic’s head doctor fired the employee and immediately called a staff meeting on the importance of HIPAA. Even better would be a pro-active system for flagging potential personal conflicts between employees and patients.
File Conversion Leads to HIPAA Case
In 2016 an orthopedic clinic hired an outside vendor to convert all X-Ray films on file to digital form, then harvest the silver from the films. That’s an ingenious service, but since the clinic didn’t first sign a BAA with the vendor, they violated HIPAA. The OCR ordered the clinic to pay $750,000 and implement a Corrective Action Plan.
Doctors and Employees Fired in Britney Spears HIPAA Case
Sometimes the temptation to peek is just too great. That was the case in an example where six doctors and 13 employees at UCLA Medical Center viewed Britney Spears’ medical records after her 2008 psychiatric hospitalization. Many of the employees were non-medical support staff and none of them had a legitimate medical need to view the PHI. HIPAA violations of this nature could be all but eliminated by following an IT concept called the Principle of Least Privilege. The principle stresses allowing access to data only to those employees who need it to do their jobs.
Facebook HIPAA Violation
In 2017, a HIPAA violation resulted in the firing of a medical employee after she posted about a patient on Facebook. The 24 year old med tech commented on a post about a patient killed in a car crash, using the words, “Should have worn her seatbelt…” While the comment itself seems innocent and even public-minded, it disclosed PHI about the patient. The employee later told reporters she was fired for a HIPAA violation, though the hospital declined to comment.
HIPAA is a minefield of potential violations that almost any doctor or employee can run afoul of in the normal course of work. While some violations come down to greed, personal gain, or nosy behavior, there are plenty of examples where a momentary lapse of concentration can lead to a costly mistake. Writing the wrong phone number on a form or expressing surprise aloud can jeopardize an entire practice. HIPAA training is crucial, but deeper than training, fixing a system that punishes honest human mistakes is a vital next step.