Clinic Sanctions Supervisor for Accessing Employee Medical Record
Clinic Sanctions Supervisor for Accessing Employee Medical Record
Covered Entity: Outpatient Facility
Issue: Impermissible Use and Disclosure
A hospital employee's supervisor accessed, examined, and disclosed
an employee's medical record. OCR's investigation confirmed that the use
and disclosure of protected health information by the supervisor was
not authorized by the employee and was not otherwise permitted by the
Privacy Rule. An employee's medical record is protected by the Privacy
Rule, even though employment records held by a covered entity in its
role as employer are not. Among other corrective actions to resolve the
specific issues in the case, a letter of reprimand was placed in the
supervisor's personnel file and the supervisor received additional
training about the Privacy Rule. Further, the covered entity counseled
the supervisor about appropriate use of the medical information of a
subordinate.
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
| HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures ...read more |
| Thursday, November 10, 2022 Five Former Methodist Hospital Employees Charged with HIPAA Violations Memphis, TN – A federal grand jury has indicted five former Methodist Hospital Employees for conspiring with Roderick Harvey, 40, to unlawfully disclose patient information in violation of the Health Insurance Portability and Accountability Act of 1996, commonly known as “HIPAA.” United States Attorney Kevin G. Ritz announced the indictment today. HIPAA was enacted by Congress in 1996 to create national standards to protect sensitive patient information from being disclosed without a patient’s knowledge or consent. HIPAA’s provisions make it a crime to disclose patient information, ...read more |
| Private Practice Implements Safeguards for Waiting Rooms Covered Entity: Private Practice Issue: Safeguards; Impermissible Uses and Disclosures A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI. The practice trained all staff on the newly developed policies and ...read more |
|
November 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | | | | 1 |
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
Telehealth (1)
HIPAA Enforcement (3)
ePHI (2)
BAA (4)
PPP Fraud (1)
Data Breach (1)
EHR Fraud (1)
Covered Entity (40)
HIPAA (2)
|
