OCR stepping up HIPAA privacy, security enforcement

Criminal Penalties

• When an individual or covered entity knowingly violates HIPAA and discloses a patient's private health information, they can face up to $50,000 in fines and up to one year in prison.

• When the offense is committed under false pretenses, the penalties are higher. Up to $100,000 in fines can be assessed, and violators can spend up to five years in prison.

Privacy violation: Patient records improperly disposed of

•Rite Aid Agrees to Pay $1 Million to Settle HIPAA Privacy Case

•CVS to pay $2.25 million to settle HIPAA violation

Where did the data end up: In a public dump

What information was revealed: Names, addresses, dates of birth, Social Security numbers, insurance information (including policy numbers), patient identification numbers, as well as protected health information such as diagnoses relating to pathology tests

Privacy violation:Patient information faxed to a business

Where did the data end up: An auto shopWhat information was revealed: Six patients' names, dates of birth, and details about the visits

What makes this case special: Unlike so many other examples, this breach of patient confidentiality was accidental. A test fax should have been sent first.

Privacy violation: The selling of patient information

Where did the data end up: A recycling centerWhat information was revealed: Names of patients, as well as their addresses, phone numbers and medical record numbers all on printoutsWho was responsible: Hospital janitor Robert SandersWhat makes this case special: Sanders sold 30,000 patient record printouts for $40

Privacy violation:Patient information reproduced, posted

publicly

Who was responsible: Five nurses

What makes this case special: While no patient names, photographs or identifying information appear to have been used, according to the hospital, management insisted on pursuing termination hearings for the employees involved.

Where did the data end up:

Privacy violation: Personal discussions involving patients

Where did the data end up:Facebook and in cell phone photos

What went down: Pictures were taken of an X-ray

Who was involved: Two nurses employed by Mercy Walworth

Response: The nurses were fired.

Instead of treating a 60-year-old stabbing victim after his initial arrival at St. Mary Medical Center's ER, nurses and other staff took photos of the man and posted them on Facebook, the Los Angeles Times reports.

Oakwood Hospital Employee Fired for Facebook Posting”

“Nurses' jobs at risk for allegedly posting patient info on Facebook”

“Hospital worker fired over Facebook comments”

“Single tweet by hospital employee to Mississippi governor violates HIPAA and gets her fired”

“Nurses Fired Over Cell Phone Photos Of Patient”

Captured on Facebook, the food-fighting nurses at hospital where

1,200 died.