The HIPAA Journal legal news section contains details of the latest enforcement activities by the Department of Health and Human Services’ Office for Civil Rights, including settlements and civil monetary penalties, and legal actions taken against covered entities by state attorneys general.

You will also find brief details of class action lawsuits and other legal actions filed against covered entities for HIPAA violations, privacy violations, and data breaches, along with other legal news specifically relating to HIPAA or other legal matters of particular relevance to the healthcare industry.

Changes to HIPAA Rules are detailed in the HIPAA Updates category, although this section does include updates to state legislation, in particular any changes to breach notification and cybersecurity laws that are relevant to healthcare organizations.

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data
May24

ACLU Claims Myriad Genetics Violated HIPAA Rules by Withholding Genetic Data

Late last week, a complaint was filed with the Department of Health and Human Services’ Office for Civil Rights by the American Civil Liberties Union after Myriad Genetics refused to provide four patients with copies of their full genetic records – an alleged breach of the HIPAA Privacy Rule. The patients in question had undergone genetic tests to assess hereditary risk for bladder, breast, and ovarian cancer. Myriad provided the patients with details of the genetic factors which were deemed to be significant and useful for healthcare providers. However, the data provided to the patients did not include information about all of the genetic variants Myriad’s testing had uncovered. The patients requested copies of all of their genetic data that was held by Myriad Genetics, including the genetic variants that Myriad deemed not to pose a risk to the patients. Myriad refused to provide copies saying the patients were not entitled to copies of the withheld data. It was claimed that the withheld data was not part of the designated record set which Myriad is required to provide to patients...

Read More
Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies
May20

Engineer Indicted on Charges of Trade Secret Theft from Medical Device Companies

The United States Department of Justice has charged an engineer with the theft and possession of trade secrets belonging to two medical device manufacturers. 43-year old Wenfeng Lu of Irvine, California, was indicted on 12 charges by a grand jury on Wednesday this week. Lu is alleged to have stolen proprietary trade secures from EV3 Covidien while employed at the company between January 2009 and October 2011, and from Edwards Lifesciences Corp., where he was employed between November, 2011 and November, 2012. Lu is alleged to have stolen information and emailed the confidential data to his personal email account. It has also been alleged that Lu took photographs of equipment and copied company reports, presentations, emails, and test results. Lu visited the People’s Republic of China (PRC) on multiple occasions after obtaining data. It is alleged that Lu was attempting to set up his own company with associates in PRC and planned to use the trade secrets to manufacture medical devices in PRC. Lu was arrested by the FBI in 2012 while preparing to board a plane bound for PRC. Lu was...

Read More
Illinois Data Breach Notification Law Updated
May20

Illinois Data Breach Notification Law Updated

Illinois data breach notification law has been updated, broadening the definition of personal information and changing the timescale for notifying the Attorney General of data breaches. A breach notification will need to be issued if a person’s full name or last name and initial is exposed in combination with any of the following data elements: Driver’s license number Social Security number Credit or debit card number Biometric data Usernames and email addresses (along with passwords or other data that would allow access to accounts to be gained) Medical information Health insurance information Notifications will not be required if a breach occurs and data are encrypted, or if exposed data are publicly available. The new law specifically mentions health insurance information which includes a subscriber ID number, health insurance policy number, or any other unique identifier used to identify an individual. Any medical data provided to a health insurer in an application, appeals records, or claims history, is also included in the new definition. The exposure of information relating...

Read More
Data Breach Class-Action Lawsuit Denied by Penn. Superior Court
May05

Data Breach Class-Action Lawsuit Denied by Penn. Superior Court

A proposed class-action lawsuit filed against two health plans for the exposure of members’ protected health information has been rejected by the Pennsylvania Supreme Court. Avrum Baum filed a lawsuit against Keystone Mercy Health Plan and AmeriHealth Mercy Health Plan in 2010 following the loss of a flash drive containing the data of approximately 286,000 patients. One of the patients affected by the data breach was Baum’s special needs daughter. Baum claimed in the suit that the loss of the device violated the privacy rights of patients. He also claimed the health plans had been negligent by failing to protect the data of patients, and the health plans had inaccurately told patients that their protected health information (PHI) was secured. Baum claimed that deceptive practices were used, which violated Uniform Trade Practices and Consumer Protection Law (UTPCPL). In July 2013, the class-action lawsuit was denied by a trial judge as Baum could not show that his daughter’s PHI was stored on the device and that the case did not have standing because Baum had not purchased his...

Read More
Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data
Apr28

Chicago Hospital Council Files Lawsuit to Prevent Deletion of Patient Data

A lawsuit has been filed against Sandlot Solutions, Inc., and its parent company Santa Rosa Consulting by the MCHC-Chicago Hospital Council in an attempt to prevent the deletion of more than 2 million patient records from Sandlot’s servers. The MCHC-Chicago Hospital Council (MCHC), which includes over 30 area hospitals, operates the MetroChicago Health Information Exchange (HIE). The HIE was formed to allow all participating hospitals to quickly and easily share patient health information and ensure that up-to-date medical records of patients could always be obtained by doctors and healthcare professionals. The HIE contains patient data collected over the past seven years. The HIE is hosted by healthcare information technology company Sandlot Solutions, Inc. On March 28, 2016., Sandlot notified MCHC that it would be winding down its operations and would soon be going out of business. Sandlot is alleged to have shut down access to the HIE a day later. MCHC was also advised that Sandlot would be deleting all HIE data from its servers within 24 hours of providing the council with a...

Read More
New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients
Apr22

New York Hospital Fined $2.2 Million for Unauthorized Filming of Patients

The Department of Health and Human Services’ Office for Civil Rights (OCR) has fined New York Presbyterian Hospital (NYP) $2.2 million for allowing patients to be filmed for a TV show without obtaining prior permission from the patients. In 2011, an ABC crew was permitted to film inside NYP facilities for the show “NY Med” featuring Dr. Mehmet Oz. A number of patients were filmed including a dying man and another patient who was seriously distressed. The footage was aired in 2012. Authorization to film had been given by NYP, although not all patients gave their consent to be filmed. One of the patients was Mark Chanko . He had been rushed to hospital after being hit by a sanitation truck. He was filmed receiving treatment from chief surgery resident Sebastian Schubl. Despite the best efforts of Schubl, Chanko died from the injuries sustained in the accident. Chanko had not given NYP permission to film him. To hide his identity ABC used blurring and voice alteration software. This did not prevent the crew from viewing Chanko’s PHI and it was not sufficient to hide his identity from...

Read More
Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
Apr20

Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA

The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013. OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained. Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure...

Read More
Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation
Apr15

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes. The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited. Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical...

Read More
California Ransomware Bill Passed by State Senate Committee
Apr15

California Ransomware Bill Passed by State Senate Committee

Californian Senator Bob Hertzberg introduced a new bill (Senate Bill 1137) in February which proposes an amendment to the penal code in California to make it a crime to knowingly install ransomware on a computer. The bill has now been passed by the senate’s Committee on Public Safety, taking it a step closer to being introduced into the state legislature. The bill must now go before the state Senate Appropriations Committee; after which it will be considered by both houses. Currently, state law in California covers crimes relating to computer services including “knowingly introducing a computer contaminant,” as well as extortion, the latter being defined as “obtaining the property of another, with his or her consent, induced by a wrongful use of force or fear.” Under existing laws, extortion is punishable with a prison term of 2,3, or 4 years. Ransomware is covered under current laws, although Senator Hertzberg believed an update was necessary given the extent to which ransomware is now being used to extort money from businesses. FBI figures suggest that in the first 3 months of...

Read More
Federal Court Rules Data Breach Covered by CGL Insurance Policy
Apr14

Federal Court Rules Data Breach Covered by CGL Insurance Policy

A federal appeals court ruled this week that Travelers Insurance has a duty to defend Portal Healthcare Solutions in a class-action lawsuit filed by patients whose medical records were exposed on the Internet in 2013. The lawsuit was filed following the exposure of 2,300 patients’ medical records in 2012/2013. The records were stored on computer server that could be accessed over the Internet, and the data of some patients had been indexed by the search engines. Two patients filed a class-action lawsuit after discovering their data could be accessed via Google. The patients claimed they both searched for their own names on Google and the first links that appeared were for their medical records. Both were patients of Glen Falls Hospital in New York. The lawsuit was filed against Portal Healthcare Solutions, which was contracted by Glen Falls Hospital to store patients’ medical records. The server on which doctors’ notes were stored should have been secured; however, a configuration error resulted in data being left unprotected. The files were accessible due to a misconfigured...

Read More
Anthem’s Request to Access Breach Victims’ Computers Denied
Apr13

Anthem’s Request to Access Breach Victims’ Computers Denied

Following any significant breach of protected health information HIPAA covered entities can expect breach victims to file lawsuits to recover damages. Last year’s 78.8 million-record data breach at Anthem Inc., is no exception. Over 100 lawsuits have been filed by plaintiffs to recover damages. Some of the suits are speculative, with plaintiffs attempting to recover damages for the increased risk of harm now faced, although some breach victims are claiming to have suffered actual losses as a result of the Anthem data breach. It is not surprising that the insurer’s legal team has attempted to determine whether the victims have actually suffered losses as a direct result of the Anthem breach. In 2015, over 113 million healthcare records were exposed or stolen. The majority of those records were stolen in the Anthem data breach, but it is conceivable that identity theft could have resulted from another healthcare – or non-healthcare – data breach, from a lack of basic security measures applied by the victims, or from the inadvertent installation of malware on victims’...

Read More
21st Century Oncology Patients Seek Damages After PHI Exposure
Mar25

21st Century Oncology Patients Seek Damages After PHI Exposure

Earlier this month, 21st Century Oncology reported a hacking incident that resulted in the exposure of 2,213,597 individuals’ protected health information (PHI). The security breach, which was discovered by the FBI in November last year, exposed patients’ Social Security numbers, health information, and insurance data. All affected patients were offered a year of credit monitoring and protection services without charge. According to the 21st Century Oncology’s substitute breach notice, in the four months since the discovery of the data breach, no evidence has been uncovered to suggest data have been used inappropriately. Four Class-Action Lawsuits Filed in the Past 3 Weeks Three weeks have passed since the announcement of the data breach and already four class action lawsuits have been filed against 21st Century by patients affected by the breach. Damages of $15 million are currently being sought for the failure to protect patients’ data from unauthorized access. The cancer care provider has also been accused of unjust enrichment, breach of implied covenant of good faith and fair...

Read More
St. Joseph Health Settles Class Action Data Breach Lawsuit
Mar15

St. Joseph Health Settles Class Action Data Breach Lawsuit

St. Joseph Health System has settled a class action lawsuit filed by two plaintiffs for the breach of 31,800 patient health records that took place in 2012. A settlement of $15 million will be split between patients and attorneys, with $7.5 million going to patients and $7.5 million covering attorneys’ fees and legal costs. All patients affected by the breach will receive a check for $242. A $3 million fund has also been set up to cover Identity theft losses that resulted from the exposure of patient health data. Each patient can potentially claim up to $25,000 if they can demonstrate they have suffered losses as a result of the data breach. The data breach in question lasted almost a year and affected patients from a number of hospitals and medical centers run by St. Joseph Health, including Queen of the Valley Medical Center in Napa, Santa Rosa Memorial Hospital, Petaluma Valley Hospital; St. Jude Medical Center in Fullerton, the Auxiliary of Mission Hospital in Mission Viejo and Laguna Beach, Redwood Memorial Hospital of Fortuna, Saint Joseph Hospital of Orange and Eureka. Full...

Read More
Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea
Feb19

Healthcare Cyberattack Suspect Arrested After Being Rescued at Sea

A suspected hacktivist has been arrested after being rescued at sea off the coast of Cuba. Martin Gottesfeld, 31, from Somerville, Mass., is suspected of orchestrating two DDoS attacks on the computer network of a hospital in Boston last year, understood to the be Boston Children’s Hospital. Gottesfeld, who was under investigation for the cyberattacks, is believed to have fled Massachusetts recently to escape arrest. His home was searched by the FBI in October 2014 in connection with the distributed denial of service attack on the Boston Children’s hospital that occurred in April 2014. Somerville Police Department had recently been alerted to the disappearance of Gottesfeld and his wife after reports were received by concerned relatives and friends that the pair had not been seen for several weeks. Last week the police department visited Gottesfeld’s apartment to conduct a well-being check, but no one was home. Just a few days after the visit Gottesfeld turned up, although in a rather unusual place. He and his wife were found off the coast of Cuba in a small boat. They had issued a...

Read More
Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement
Feb18

Physical Therapy Provider Agrees to 25K HIPAA Violation Settlement

OCR has announced it has arrived at a settlement with a Los Angeles-based provider of physical therapy services after the discovery of HIPAA Privacy Rule violations in 2012. Complete P.T., Pool & Land Physical Therapy, Inc., (CPT) has agreed to pay a fine of $25,000 to the Department of Health and Human Services after the company posted photographs and names of patients on the client testimonial section of its website without first having obtained HIPAA-compliant authorizations from the patients in question. Potential HIPAA Privacy Rule violations were reported to OCR on August 8, 2012 and an investigation into the complaint was launched. OCR concluded its investigation on January 15, 2013. OCR found that a number of patients had had their protected health information posted online, yet valid, HIPAA-compliant prior authorizations had not been obtained in writing from the patients before names and full-face photographs were uploaded to the website. OCR determined this to be a clear violation of the Privacy Rule, with CPT found to have violated HIPAA by failing to reasonably...

Read More
Cybersecurity Companies Be Found Liable for Healthcare Data Breaches
Feb13

Cybersecurity Companies Be Found Liable for Healthcare Data Breaches

When a cybersecurity company is contracted to investigate a data breach, that company is expected to conduct a thorough investigation, ensure the breach is contained, and make sure backdoors are found and removed. However, what happens if a security company fails to deliver on its promise? Cybersecurity Firm Sued for Failing to Remedy a Data Breach Chicago-based cybersecurity firm Trustwave was sued late last year by a company that had contracted it to investigate and remedy a data breach. The lawsuit was filed for the company’s alleged failure to adequately investigate and remedy the breach, leaving the computer system open to a further attack. The lawsuit was filed by Affinity Gaming in the U.S. District Court in Nevada with the lawsuit stating that Trustwave’s investigation and remediation efforts were “woefully inadequate.” The investigation into the suspected hacking of the company’s payment card system failed to prevent individuals from gaining access to payment system data two months later. According to the lawsuit, Trustwave had reported to Affinity Gaming that the breach...

Read More
Lincare Inc to Pay $239,800 CMP for HIPAA Violation
Feb03

Lincare Inc to Pay $239,800 CMP for HIPAA Violation

For only the second time in its history, OCR has ordered a HIPAA-covered entity to pay civil monetary penalties for HIPAA violations. Lincare Inc., is required to pay $239,800 for violations of the HIPAA Privacy Rule which were discovered during the investigation of a complaint about a breach of 278 patient records. The Privacy Rule violation – 45 C.F.R. § 164.530(i) – was recently confirmed by a U.S. Department of Health and Human Services Administrative Law Judge and the motion for summary judgement was granted and the decision to issue civil monetary penalties was sustained. HIPAA Privacy Rule Violation Uncovered by OCR Lincare Inc., doing business as United Medical, operates more than 850 medical centers throughout the United States, providing respiratory care and medical equipment to patients at its facilities, and via medical services delivered in-home. A complaint was filed with OCR about an Lincare employee who left documents containing the PHI of 278 patients at one of the locations where medical services were provided. The investigation by OCR confirmed that PHI had...

Read More
Prime Healthcare Services Hit with Privacy Breach Lawsuit
Feb03

Prime Healthcare Services Hit with Privacy Breach Lawsuit

Prime Healthcare Services has been hit with a lawsuit for repeatedly violating the privacy of a former patient of the Shasta Regional Medical Center. The lawsuit was filed in the Shasta County Superior Court last month by Medicare patient Darlene Courtois, 64. The plaintiff claims that her confidential medical files were shared with 785 employees of the Shasta Regional Medical Center in 2011 without her authorization. The medical information was allegedly emailed to medical center employees by the CEO of the medical center in what is believed by Courtois to be an attempt to discredit a news story published by California Watch. The story covered the healthcare chain’s “unusual and lucrative billing practices.” Reporters from California Watch investigated the unusually high number of Kwashiorkor cases dealt with by the hospital in 2009 and 2010. Kwashiorkor is a relatively rare form of protein malnutrition. Each year, fewer than 20,000 individuals are diagnosed with the condition in the United States. Kwashiorkor is more commonly associated with areas hit by famine, and is associated...

Read More
Survey Indicates Law Firms are not Complying with HIPAA Rules
Feb02

Survey Indicates Law Firms are not Complying with HIPAA Rules

The Health Insurance Portability and Accountability Act (HIPAA) covers healthcare providers, health insurers, and healthcare clearinghouses, and all covered entities are required to comply with HIPAA Privacy, Security, and Breach Notification Rules. HIPAA also applies to vendors and other companies doing business with covered entities, which are classed as HIPAA Business Associates (BAs). If a BA is supplied with the Protected Health Information (PHI) of health plan members or patients, or their software or systems are capable of touching PHI/PII, those entities are also required to comply with HIPAA Rules. Are Attorneys Classed as Business Associates of HIPAA-Covered Entities? According to Legal Workspace, healthcare attorneys may fall under the classification of Business Associate, and as such, they must comply with HIPAA Rules.  If a healthcare attorney is provided with healthcare data, it is necessary for that attorney – or his or her law firm – to ensure the necessary technical, administrative, and physical controls are implemented to protect PHI supplied by...

Read More
Snapchat Video Posting Gets Nursing Assistant Fired
Jan20

Snapchat Video Posting Gets Nursing Assistant Fired

A nursing assistant from the Parkside Manor assisted-living facility in Kenosha, WI., has been fired for taking a video of a virtually naked 93-year-old Alzheimer’s patient and sharing the file on Snapchat. In recent months an unsavory trend has emerged involving nurses taking photographs and videos of elderly patients and sharing the files on social media networks. The images and videos show patients in various states of undress, performing degrading acts, or posing in compromising positions. An investigation conducted last year by ProPublica revealed the extent to which this is happening across the United States. Reporters discovered 35 separate cases had been reported, although numerous others have more than likely taken place. Snapchat was found to be the most popular site for image and video sharing, although it is far from the only social media network used for sharing degrading and demeaning images and videos of patients. The latest case involved a video of an Alzheimer’s patient who was recorded sitting on her bed wearing only a bra. Grace Riedlinger, 21, admitted taking...

Read More
New Oregon Breach Notification Law Comes Into Effect
Jan09

New Oregon Breach Notification Law Comes Into Effect

Organizations doing business in the state of Oregon must now comply with a new data breach law that came into effect on January 1, 2016. If a data breach is suffered that exposes the personal information of more than 250 state residents, a breach notice must be submitted to the Oregon Attorney General. On June 10 last year, Oregon Governor Kate Brown signed the new law (Oregon Revised Statutes 646A.604) updating the Oregon Consumer Identity Theft Protection Act of 2007. The amendment expanded the definition of “personal information” to include biometric data such as a retina or iris images and fingerprints, as well as medical and health insurance information. Other data classed as personal information include Social Security numbers, government ID numbers, Driver’s license numbers and financial information including credit or debit card number in combination with any required security code, access code or password. The exposure of any of those data elements along with a person’s full name or last name and initial requires a breach notice to be issued. Oregon is one of a few states...

Read More
Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge
Jan06

Exposure of PHI Grounds to Sue for Damages, Rules Mass. Judge

A data breach that exposes sensitive Protected Health Information may not necessarily result in patients coming to harm, or suffering an injury or loss. However, breach victims do face an elevated risk of suffering harm and losses. Many will even incur costs as a result of actions taken to reduce the risk of losses being suffered. It is not uncommon for data breach victims to attempt to recover damages from healthcare providers who have exposed their sensitive health data, but it is rare for those lawsuits to succeed or even be heard. In order to successfully sue a healthcare provider or health insurer for a data breach, the plaintiff must be able to produce evidence that losses have been suffered, or at the very least, that data have actually been viewed by unauthorized individuals. However, a Mass. Superior Court judge has recently ruled that a plaintiff does actually have grounds to sue for damages, even if evidence of harm or loss cannot be produced. The exposure of PHI alone can be grounds to claim damages. The ruling came on the case of Walker et al v. Boston Medical Center...

Read More
California Patient Privacy Law Enforcement is Inconsistent
Jan04

California Patient Privacy Law Enforcement is Inconsistent

Last week, California’s enforcement of data privacy rules was criticized after the Department of Public Health was found to be inconsistently enforcing state laws. Numerous healthcare organizations have committed serious privacy violations, yet have escaped fines. Two privacy bills were passed in California in 2008 in an effort to better protect the privacy of state residents. One of the aims was to make healthcare organizations more accountable when privacy violations occurred. The laws were introduced following a number of high profile privacy breaches involving hospital employees snooping on the medical records of celebrities (Britney Spears, Farrah Fawcett and Maria Shriver). Since the bills were passed, healthcare organizations in the state can receive heavy fines for privacy violations, although relatively few fines are issued. California Patient Privacy Laws Being Violated with Few Consequences The state of California has some of the strictest laws on data privacy in the country. While action is taken against healthcare organizations by the Department of Public Health when...

Read More
Pittsburgh Woman Arrested for $600K Medical Insurance Fraud
Dec23

Pittsburgh Woman Arrested for $600K Medical Insurance Fraud

A counselor from the Pittsburgh area has been arrested on suspicion of fraudulently billing over $600,000 for counseling services which were never provided to patients. The investigation was launched after a tip off was received by the Pennsylvania Office of Attorney General’s Insurance Fraud Division by Highmark Blue Cross Blue Shield. Highmark claimed that Lisa A. Wally, 33, also known as Lisa A. Smith Wally from McKeesport, PA, had inflated billings for services she provided to her clients, and billed the insurer for services that were never actually provided. Office of Attorney General investigators discovered Wally had billed for 9,746 office visits for 22 patients between 2011 and 2015. However, investigators only found evidence that 1,987 visits had occurred. In total, Wally had received $601,280 in payments for services that were allegedly provided at her offices in Uniontown, Fayette County, but no evidence could be produced to prove that those sessions had ever taken place. Wally was unable to produce any evidence that the sessions occurred as no patient records were kept...

Read More
HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time
Jul30

HIPAA Privacy Complaint Results in Federal Criminal Prosecution for First Time

For the first time, a HIPAA privacy complaint filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) has resulted in federal criminal prosecution. A complaint was filed with OCR over an impermissible disclosure of a patient’s protected health information by a doctor. The doctor, Richard Alan Kaye of Suffolk, Va., was alleged to have shared PHI with the patient’s employer without consent from the patient – A violation of the HIPAA Privacy Rule. The case against Kaye has been referred to the Department of Justice, which has pressed charges. While OCR has referred more than 500 HIPAA violation cases in the past, this if the first time that an investigation of a privacy complaint has resulted in criminal prosecution. Kaye had previously worked at Sentara Obici Hospital in Suffolk, Va., as Medical Director of its Psychiatric Care Center. The patient had been enrolled in a mental health treatment program at the hospital and Kaye treated and subsequently discharged the patient. On discharge, Kaye stated that the patient was not a threat to the public....

Read More