Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Covered Entity: General Hospital
Issue: Impermissible Use and Disclosure
A complainant, who was both a patient and an employee of the
hospital, alleged that her protected health information (PHI) was
impermissibly disclosed to her supervisor. OCR’s investigation revealed
that: the hospital distributed an Operating Room (OR) schedule to
employees via email; the hospital’s OR schedule contained information
about the complainant’s upcoming surgery. While the Privacy Rule may
permit the disclosure of an OR schedule containing PHI, in this case, a
hospital employee shared the OR scheduled with the complainant’s
supervisor, who was not part of the employee's treatment team, and did
not need the information for payment, health care operations, or other
permissible purposes. The hospital disciplined and retrained the
employee who made the impermissible disclosure. Additionally, in order
to prevent similar incidents, the hospital undertook a complete review
of the distribution of the OR schedule. As a result of this review, the
hospital revised the distribution of the OR schedule, limiting it to
those who have “a need to know.”
| TYLER, Texas — U.S. Attorney John M. Bales announced today that a former employee of an East Texas hospital has pleaded guilty to criminal HIPAA charges in the Eastern District of Texas. Joshua Hippler, 30, formerly of Longview, Texas, was indicted on March 26, 2014, on charges of Wrongful Disclosure of Individually Identifiable Health Information. Hippler pleaded guilty on August 28, 2014 during a hearing before United States Magistrate Judge John D. Love. The indictment alleged that from December 1, 2012, through January 14, 2013, Hippler, who was then an employee of a covered entity under HIPAA, obtained protected ...read more |
| Pharmacy Chain Enters into Business Associate Agreement with Law Firm Covered Entity: Pharmacy Chain Issue: Impermissible Uses and Disclosures; Business Associates A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is ...read more |
| § 164.314 Organizational requirements. (a) (1) Standard: Business associate contracts or other arrangements. The contract or other arrangement required by § 164.308(b)(3) must meet the requirements of paragraph (a)(2)(i), (a)(2)(ii), or (a)(2)(iii) of this section, as applicable. (2) Implementation specifications (Required) - (i) Business associate contracts. The contract must provide that the business associate will - (A) Comply with the applicable requirements of this subpart; (B) In accordance with § 164.308(b)(2), ensure that any subcontractors that create, receive, maintain, or transmit electronic protected health information on behalf of the business associate agree to comply with the applicable requirements of ...read more |
| State Hospital Sanctions Employees for Disclosing Patient's PHI Covered Entity: Health Care Provider / General Hospital Issue: Impermissible Disclosure A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of ...read more |
|
July 2026
| Su | Mo | Tu | We | Th | Fr | Sa |
| | | 1 | 2 | 3 | 4 |
| 5 | 6 | 7 | 8 | 9 | 10 | 11 |
| 12 | 13 | 14 | 15 | 16 | 17 | 18 |
| 19 | 20 | 21 | 22 | 23 | 24 | 25 |
| 26 | 27 | 28 | 29 | 30 | 31 |
Blog Home
Newest Blog Entries
1/21/25 Understanding Business Associate Agreements
11/12/22 Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims
11/12/22 Indian National Charged in $8 Million COVID-19 Relief Fraud Scheme
11/12/22 Former Hospital Employee Pleads Guilty To Criminal HIPPA Charges
11/12/22 Covered entities and those persons rendered accountable by general principles of corporate criminal liability may be prosecuted directly under 42 U.S.C. § 1320d-6
11/12/22 The Delaware Division of Developmental Disabilities Services Data Breach
11/12/22 OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA
11/12/22 HHS Issues Guidance on HIPAA and Audio-Only Telehealth
11/12/22 Five Former Methodist Hospital Employees Charged with HIPAA Violations
11/12/22 May a covered entity use or disclose protected health information for litigation?
11/12/22 When does the Privacy Rule allow covered entities to disclose protected health information to law enforcement officials?
Blog Archives
January 2025 (1) November 2022 (54)
Blog Labels
Covered Entity (40) HIPAA Enforcement (3) PPP Fraud (1) HIPAA (2) EHR Fraud (1) ePHI (2) Telehealth (1) BAA (4) Data Breach (1)
|