Facebook Sharing of Patient Info Sees ER Doc Fired
A doctor has recently been fined $500 by the State medical board after posting personally identifiable information about a patient on Facebook, a number of months after the incident caused her to lose her employment. This is a HIPAA violation that all healthcare professionals should take note of. The doctor, Alexandra Thran, did not post the patient’s name in her post, which would be an immediate violation of HIPAA Rules, but she did post sufficient information to enable the person to be identified. Another individual who visited Thran’s Facebook page was able to determine the identity of the patient from the information she wrote on the page, even in the absence of the patient’s name. The disclosure of Protected Health Information, which includes references to medical treatments as well as health records, along with Personally Identifiable Information (PII) can result in civil penalties being brought against the covered entity and any individual responsible for the HIPAA breach. The penalties can involve time in jail. This is not the first incident of its kind. Nurses and doctors...
Massachusetts General Hospital Fined $1 for Lost PHI
The Department of Health and Human Services’ Office for Civil Rights has announced that it has reached a settlement with Massachusetts General Hospital for potential HIPAA violations as a result of the loss and potential disclosure of the medical records of 192 patients. The patients affected had attended the healthcare provider’s Infectious Disease Associates outpatient practice. MGH has agreed to pay $1 million to the OCR. The incident that triggered the penalty involved the loss of paper files which an employee of the Massachusetts Attorney General had taken on the Subway. When the employee got off, the documents stayed and they were never to be seen again. This may have been a simple case of absent mindedness, but it is negligence and should not have been allowed to occur. Policies should have been in place to prevent PHI from leaving the premises, staff should have received training and protections put in place to secure confidential data. The OCR has issued an action plan which MGU must follow to bring its privacy and data security standards up to the required level. The...
Cignet Fined 4.3 M for HIPAA Privacy Rule Violation
Prince George’s County has been ordered to pay a $4.3 million fine after it was discovered that two hospitals run by Cignet Health had violated the HIPAA Privacy Rule on 41 separate occasions, refusing to provide patients with a copy of their own medical records. The Privacy Rule violations took place between September 2008 and October 2009. Requests can be made by patients under Privacy Rule provisions and healthcare providers must provide them with a copy of their records. All requests must be dealt with within 60 days, and while patients should not be charged for the service, healthcare providers can obtain funds from patients to cover the cost of supplying those records. Cignet did not provide information to any of those patients. When patients were refused access to their records, a number filed complaints with the Office for Civil Rights; the Department of Health and Human Services’ HIPAA enforcer. The OCR investigates potential HIPAA violations and if it strongly suspects violations have occurred, the organization in question can be subjected to a full compliance...
Health Net Fined 55K for Delayed HIPAA Breach Notification
Connecticut-based insurance company – Health Net – is to pay a fine of $55,000 to the Vermont Attorney General’s Office for HIPAA non-compliance and failing to protect the data of the state’s policy holders following a HIPAA data breach that exposed the personal health information of 1.5 million people. The Health Insurance Portability and Accountability Act (1996) requires all covered entities report security breaches that expose patient data to the Department of Health and Human Services, and breach notifications must also be issued to all affected individuals in a reasonable time frame. Health Net discovered that a computer hard drive had gone missing from its facilities on May 19, 2009, yet it took the insurer more than 6 months to issue breach notifications to the affected patients. When that notification was finally sent, the 525 Vermont residents affected by the breach were advised that the risk of their data being viewed by unauthorized individuals was low. According to Health Net, “the files on the missing drive were not saved in a format that can be...
Newark Beth Israel Medical Center Suffers Second HIPAA Breach
A second data breach has occurred involving Newark Beth Israel Medical Center, with the latest incident potentially exposing the Healthcare data of 1,744 patients. Earlier this year the hospital learned of a data breach affecting 956 of its patients. The latest breach also involved a Business Associate of the Saint Barnabas Health System, in this instance, Professional Transcription Company, Inc. (PTC). The data breach is understood to have occurred on or around New Year’s Day, 2010, according to a breach notification published on the hospital’s website. PTC is contracted to provide transcription services for dictated physician reports and is therefore required to have access to certain Protected Health Information of patients. However, the company inadvertently posted some clinical reports containing PHI on a website which could potentially have been accessed by unauthorized individuals. The reports contained the full names of patients, their dates of birth, medical record numbers, hospital account numbers, physician’s name, diagnoses of medical conditions, treatments received and...



