Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Covered Entity: General Hospital
Issue: Impermissible Use and Disclosure
A complainant, who was both a patient and an employee of the
hospital, alleged that her protected health information (PHI) was
impermissibly disclosed to her supervisor. OCR’s investigation revealed
that: the hospital distributed an Operating Room (OR) schedule to
employees via email; the hospital’s OR schedule contained information
about the complainant’s upcoming surgery. While the Privacy Rule may
permit the disclosure of an OR schedule containing PHI, in this case, a
hospital employee shared the OR scheduled with the complainant’s
supervisor, who was not part of the employee's treatment team, and did
not need the information for payment, health care operations, or other
permissible purposes. The hospital disciplined and retrained the
employee who made the impermissible disclosure. Additionally, in order
to prevent similar incidents, the hospital undertook a complete review
of the distribution of the OR schedule. As a result of this review, the
hospital revised the distribution of the OR schedule, limiting it to
those who have “a need to know.”
| Private Practice Ceases Conditioning of Compliance with the Privacy Rule Covered Entity: Private Practice Issue: Conditioning Compliance with the Privacy Rule A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule ...read more |
| HMO Revises Process to Obtain Valid Authorizations Covered Entity: Health Plans / HMOs Issue: Impermissible Uses and Disclosures; Authorizations A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures ...read more |
| Large Health System Restricts Provider's Use of Patient Records Covered Entity: Multi-Hospital Healthcare Provider Issue: Impermissible Use A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training. ...read more |
| Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know" Covered Entity: General Hospital Issue: Impermissible Use and Disclosure A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. OCR’s investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospital’s OR schedule contained information about the complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee ...read more |
|
December 2025
| Su | Mo | Tu | We | Th | Fr | Sa |
| 1 | 2 | 3 | 4 | 5 | 6 |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 |
|
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1)
November 2022 (54)
Blog Labels
BAA (4)
ePHI (2)
HIPAA Enforcement (3)
EHR Fraud (1)
PPP Fraud (1)
Covered Entity (40)
HIPAA (2)
Data Breach (1)
Telehealth (1)
|
