HIPAA violations are finally starting to be punished

February 19, 2009

AP reported this morning that CVS is settling patient information investigation with HHS and FTC to the tune of $2.25M. Here’s the gist of it:

Employees at CVS pharmacies left the labels and other items in open trash bins outside stores, according to the Federal Trade Commission and the Department of Health and Human Services. The company also did not have adequate policies for disposing of that information, and did not sufficiently train employees to dispose of the information properly, the agencies say.

The items that were not properly discarded included pill bottles, medication instruction sheets, computer order forms, payroll information, job applications and credit card and insurance information. Those labels and forms contained personal information including Social Security numbers and credit card and insurance information, and in some cases, driver’s license numbers and account numbers. Names of the patients’ doctors were also included.

CVS said it is not aware of any consumers being harmed and has not acknowledged any wrongdoing but settled the investigation "to avoid the time and expense of further legal proceedings."

HIPAA has always been touted as a mechanism to ensure patient privacy and while it’s been a good first step, HIPAA just doesn’t have enough enforcement action capability or monitoring systems in place to make a substantial difference.

What CVS is being fined for is not unique and certainly not going to go away anytime soon. As long as the healthcare system lives on paper and we have to use untraceable faxes, mail, copies, and other manual means of transmitting patient information these kinds of HIPAA violations will continue to occur. I for one am glad to see that some enforcement is happening but it’s not enough to actual stem the tide of patient information disclosure violations.

  • Summertime54
    i have a dentist who allowed her employee to send medical procedures from the office with her personal email address. is this considerd HIPAA?
  • Juli
    my physician announced my name and my diagnosis and scolded me for not agreeing to a third surgery. He did all this in a waiting room that had a half dozen other patients. They all heard him as he did not lower his voice at all. I was relieved to hear the diagnosis at first then the realization hit that he'd violated my right to privacy. Do I have a cause of action against him and/or the hospital where this took place?
  • cindy
    I work at a practice management co. and our system is one enterprise with over 70 practices, I had an office manager call and said she had to reschedule a patient and when she did she recieved a system alert stating the patient had another appointment for that date and time at a different practice name, since we have the one enterprise the system searches all practices. Is this HIPAA violation?
  • Sherry
    Question:
    I was away on medical leave. My supervisor told all the employees about my absent and why I was away from work. Is this a violation of HIPAA or any employee rights?
  • Violet
    Yes, giving out your diagnosis to office workers was a hipaa violation.
  • DCJ
    My employer gave a medical record that authorized treatment for hepatitis b vaccine consent to a lawyer and it was used against me during an arbitration hearing. This hep b treatment was an optional treatment relating to a blood exposure I was involved in at work. The arbitration hearing was for payment of overtime hours in relation to follow up blood testing.

    Is the use of that consent form a HIPAA violation?
  • leon54
    If a medical records worker is on break or not actually working on medical records at the time and is just pulling up patient charts on the computer just to read them, is that a HIPAA violation?
  • Violet
    Yes, that's most definitely a hipaa violation. Reading of medical records is on a "need to know" basis for the medical records worker.. and if a medical records worker is not reading the patient charts for information to file a claim or something else related to what's necessary to do the job, and is just reading out of curiosity, this is a Hipaa violation. If this person where caught doing this by the hospital they worked for, they would be fired.
  • cmungin0606
    I was in a pharmacy recently and in front of other customers a pharm empl asked my name DOB and the type of medication I was taking. This was aksed from the other end of the counter. Iwalked down towards her and gave her the information. It being obvious to all around I do not care to share this info with everyone around me. She then turned around to the parmacist and said do you have (named med) for (said my name) out loud for everyone to hear. I then asked her why she shouted my personal information out. She said well I had to ask if he knew where it was. She is obviously very lazy and did not want to walk 10 steps to ask the pharmacist this information. I since called the store manager and told him about this. I do believe this is a violation of HIPPA. Am I correct?
  • violet
    Yes, it was a hipaa violation. You should complain to the pharmacist and ask to fill out a hipaa report. The name of the medicine you're taking is your personal health information, and this is why they have consultation areas in the pharmacy now. The pharmacy tech should have just asked the pharmacist is your prescription was ready, and not said the name of the drug for everyone to hear. What prescriptions you take is personal health information.
  • eeyorelrn
    The Hopsital that I work for is trying to implement "walking rounds", which means we give report on each patient at the patient's bedside, including diagnosis, primary medical history, lab results, readiology reports, etc. My main issue with this is that the vast majority fo the rooms are smei-private rooms, which means there is always at least one other person in the room at all times, let alone any family members and visitors. the only thing that actually separates the areas where the patients say is a sliding cloth curtain.

    I have repeatedly told my Nurse Manager that I feel as if this is a direct HIPAA Violation, and that I did not want to risk my Nursing Liscense over it. The last direction from her was that this was NOT a HIPPA Violation and that I "WILL" give all reports at the patients bedside. Is this a HIPAA Violation? If so, whom should I contact about this issue? This is a Federally run Hospital system- does that make a difference in adhearence to the HIPAA standards?
  • violet
    No, this would not be a hipaa violation. The information that would be heard by the patient on the other side of the semi-private room would be considered required release of information to treat the patient. Look at it this way... you have to treat the patient, and this includes discussing their health history or diagnosis at their bedside. You can't exactly move the other patient out into the hall, can you? This would be considered unavoidable release of PHI. Now, it's a little different if you discuss the patient in the parking lot or your local bar after you get off work. That actually happened... a health care worker discussed all of his patients after work over drinks at the bar.. and it cost him a lot of money due to hipaa violations. Talking with the patient at bedside is not a hipaa violation. Your nurse manager is right.
  • selma17214
    I had a CT Scan done and was waiting for the diagnosis in the front room. The receptionist received a phone call and asked for the patients name. She called me, by name and I got up from my seat and started walking toward the check in desk where she was and before I could get 3 steps in she told me and everyone else in the waiting room that they didn't find any more nodules in my chest and that I was free to go. Now, to me that is a HIPPA violation...What do you say?
  • violet
    oh, yes... hipaa violation. Your diagnosis is your personal health information.. and shouldn't have been discussed in the waiting room.
  • Lisa
    My husband was injured recently and decided to see some of the physicians I work with. He asked me to get some information regarding his appointments for reimbursement purposes and I told him after he signed a release of information I could. He came to my place of employment, signed the form and I personally retrieved the information later that day. My employer is now accusing me of violating HIPAA regulations and wants me to sign a disciplinary report. Did I really do something wrong? Am I obligated to sign a form stating I violated privacy practices when I feel I did nothing wrong and if I did I was not aware? PLEASE HELP CLARIFY !!!!
  • violet
    sounds like the release of information he signed was just so HE could get the information.. and not so YOU could get the information.. in other words, he didn't specify that you were the one who could receive the ifnformation... if so, then it would be a hipaa violation. I'm wondering if you misunderstood what forms he signed... and didn't realize this? Even so, as long as your place of employment knows it wasn't intentional on your part, I think it shouldn't affect your job there. Sounds like your employer just wants to cover themselves.
  • violet
    oh, to clarify... your employer is trying to cover themselves, in case your husband decides to file a lawsuit against you for release of personal health information...as long as you know your husband isn't about to sue you, I think you're safe. (being sarcastic, here..) I think your employer should have just reprimanded you, if you didn't complete the form correctly, specifying you could receive the information. Unless they're planning on suing you (and themselves, since they employed you) on behalf of your husband? Again, they're just trying to cover themselves...and getting a little anal about it...
  • Lisa
    I work for a major medical corporation as a cma. Recently my husband was injured and started seeing some of the physicians I work with. My husband needed some appointment information to submit for reimbursement purposes and after having him sign a release of information, I retrieved the documentation he requested personally. My employer is now accusing me of violating HIPAA and wants me to sign a disciplinary form. Did I really violate any regulations?
  • Ms. W.
    If you worked in a healthcare field and you discussed a patient without declaring that person's name, are you violating HIPPA laws?
  • violet
    no... but it's not a good idea. If it's not necessary for you to discuss the patient, and not needed to do your job, then you shouldn't be doing it. However, if you say enough that someone else overhearing could identify the patient you're talking (gossiping) about.. then, starts to come close to a hipaa violation.
  • Erica
    I was transported from work to the emergency. A co-worker-human resource worker-from my job stayed with me at the hospital. When the dr came in teh room after hetting test results. he informed me that I was pregnant, which I was not because i had just had an abortion 2 days prior, but my urine was still showing pregnancy. I had no idea he was about to give results of any test. He did not ask my co-worker to leave the room before giving me these results so of course she heard everything. i tried to cover it up by saying no I'm not and his response was yes you are the test says you are. I was horrified. How could he not ask if I wanted him to give results in front of her. This was not something that I wanted to explain in front of anyone. It was a choice i had made and he had no right revealing it. It had nothing to do with my current condition at all. Till this day I still feel like she may have told someone and that people are looking at me funny. I am so embarrassed to say the least. Its like coming to work and reliving a hard decision everyday, and it hurts everytime i see the woman. And no we look nothing alike so he could not have mistaken her for a family memeber and he even asked me when he came in " so i understand you were transferred here from work"....I'm so upset. What can I do? I feel like I wanna quit my job.
  • violet
    yes, hipaa violation. he should have asked the other person to leave the room. your medical history (diagnosis) is your PHI... personal health information...
  • lori
    My husband has recently been diagnosed with sleep apnea. One day when i came home from work a message was left on my aswering machine to call the sleep study office to decide on which healthcare office we would like to have his orders sent to for a cpap machinge. Just as i was getting ready to call the sleep center i received a call from one of these healthcare offices stated they would like to have my husband use their office. I told them i would be calling the sleep center first. I did then call the sleep center and they told me something was not right because this healthcare office should not have had any information yet. Is this something we should be checking further for hippa violations?
  • violet
    not sure.. but wondering why you would care, in this case? the sleep center was only calling a provider to set up a cpap machine for your husband. they were acting in your husband's best interest in this case... and you probably signed a generic release of information when he had the sleep study. they were contacting another health professional in order to give you the best service. kind of on the same line as calling in a prescription to a pharmacy. you should have thanked them... they were probably trying to get you a better deal on the cpap machine. I pay medical claims, and know insurance sometimes doesn't pay a lot for these...
  • Jess
    i work in a multidisciplinary office, there are separate 'businesses' under one roof. One physician asked the receptionist-in-common if a patient had a visit scheduled with another doctor in the office...is it a HIPAA violation if she gives the answer to the Dr?
  • violet
    sounds like this falls under the "none of your business" category, but not a hipaa violation...unless he needed to know so he could give the patient the best treatment.. in this case, would have to use common sense... and if it seems like this isn't something the doctor should know, then maybe the receptionist should mention something to her supervisor on whether this is information she should give out or not...I personally would tell the doctor I would need to look that up and get back with him.. and then check with my supervisor, or other doctor, to see if this info is ok to give to the other doctor. better safe than sorry.
  • Sue
    My boss is constantly divulging personal information about coworkers including our health issues. I have tried to keep mine from him as I have Hepatitis C for which I was treated for 48 weeks with interferon & rebitol. I was very sick and missed work on FMLA & shortterm and long term medical leave. The treatments were unsuccessful. My boss inadvertently sent me a memo for a "justification" for lay off sighting my medical absence as a justification. Has he violated the law?
  • violet
    discussing your personal health information in an email to others that you didn't authorize release to... and you received the email, by accident, that shows this proof... is a hipaa violation... and probably grounds for a lawsuit since you were fired due to a health reason. Remember the movie Philadelphia? An hiv positive lawyer is fired by his employer... and wins a lawsuit against them because they fired him due to his illness. You have proof of this, since you received the email... hope you kept a copy.. and contact a lawyer.
  • Nicole
    I live in South Carolina and there is a medical database here for hospital employees only. A person that knows me through the grapevine that works in the insurance department at the local hospital looked me up on this system with no reason or right. I was pregnant at the time and she wanted to look at my personal sonograms ect without mine or anybody elses permission. Apparently she continued to do this on a regular basis. I miscarried soon after this started. I came home from the hospital and hadn't told my friends or family about the loss yet when the phone calls started. she had looked it up and proceeded to tell my friends and family before i could. Then she made up lies about the miscarriage saying i was on drugs and all kinds of untrue crazy things. And she swore her access to this website told all this so everybody believes her that i lost my baby due to drugs . . . Ive NEVER even done drugs!!! i lost my baby due to a gene mutation. But i have 3 people that have told me they heard it from her and she is telling the world my medical information and adding lies. This has devastated me and my family and I haven't confronted her because i want to take proper legal action. What should i do????
  • violet
    wow.. contact a lawyer. The hospital will be forced to produce the proof that she did this.. believe me, your employer knows everything you do on the computer at work... big time hipaa violation....
  • Anna
    Situation:
    Two healthcare workers are on a bus with other health care workers and one asks the other, "how was your day?" The other worker says - it was ok, I had a couple of patients that had strokes and some of the treatment was a little difficult.

    Another healthcare worker on the bus states this is a hippa violation. How is the violating HIPPA if absolutely no patient identifiers were used? More so, how is this any different than a doctor or health care worker posting their resume or using marketing to state the kinds of diagnoses they treat? Couldn't one assume any patient being seen by that person have one of the diagnoses mentioned in the marketing?
  • tracy
    i am asking about the same situation i said something in the nurses station about a patient and since i said it in front of non-professional personnel they want to say its a hipaa violation. i did not say the patient's name in the conversation. is this a violation?
  • helen
    I have a similar case to tracy were as person sitting in our lobby at a medical facility claims she overheard me talking about a patient, she proceeded to go and tell that mother and I was terminated. I was not talking about him but talking to a co-worker about two other cases with the same MRSA procedures to follow. Have I violated HIPPA
  • Cheryl
    My daughter recently went to our primary physician to obtain a pre-college physical. She could not get an appointment, but was able to take one that I had previously scheduled for myself. Once my daughter stepped in the room with the nurse practitioner, she stated to my daughter, "I see that you switched appointments with your mom, you do know that this appointment was very important for her, as she has a lump on her breast". My daughter was completely shocked because I had not told her about it, as I did not want her to worry before she left for college which is 3000 miles from home. The nurse practitioner realized that my daughter did not know, and instead of trying to apologize began to further discuss the importance of me making another appointment to get in and get my breast checked.
    Never did the nurse practitioner apologize or did she ever call me to alert me to what she did. I have since called my doctor to meet with him to discuss what happened, as you can imagine, I am devestated and want to know if they violated my HIPAA rights or if this was a HIPAA vilolation? What are the fines or what happens to private practicing physicians when they vilolate a patient's HIPAA rights.
  • violet
    yes, this is a hipaa violation. i would ask to complete a hipaa report at the physician's office... however, i know from where i work that you have to have so many violations to have grounds for a lawsuit... this sounds like stupidity on the nurse's part... and would get her reprimanded by her employer... but not fined, as far as hipaa violations go... now, if she had gone to the local bus terminal, and announced over the intercom the same information... that's considered more "hits"... and a lot more serious... it would, however, go on her record that she had a hipaa violation... so i would report it to the physician's office...so she'll think twice about doing this again...
  • LISA
    I WORK IN A PHARMACY, HAVE FIBROMYALGIA,& 5 HERNIATED DISCS. I FOUND OUT MY CO WORKERS ARE DISCUSSING MY HEALTH WHEN I'M NOT AROUND. IS THAT A VIOLATION OF HIPPAA
  • violet
    how did they find out your health info? did they access it on the pharmacy records or your health records? if so, then whoever gave your co-workers the personal health information would have violated hipaa laws. if they just are gossiping because you've told someone about it... then, no, not hipaa violation. rude, but not hipaa...
  • Casandra
    Is it a hippa violation to give out medical information, to a insurance agency if the patient has signed a consent form of information?

    Example: Information about dates/times/ and reasons for a office visit.

    No other information given.
  • violet
    no... that's why the patient signed that authorization to release information... that you made them sign when they first started coming to you. I work for an insurance company... and this is one of the more irritating examples of medical providers not understanding that they already made the patient sign something saying they could release information to the insurance to get the claim paid. Do you want to get the claim paid? If you already had the patient sign a release form to file for insurance... then, please, help the insurance company get the dang claim paid...I hate closing claims.
  • Meg, the information you gave certainly does seem that particular case is a HIPAA violation. People are not supposed to read out loud your medical information in a public setting -- that's kind of HIPAA 101.
  • Shahid,

    It seems to me that given the current administration's pro-regulation, pro-Healthcare IT stance that we can expect to see more HIPPA IT related penalties and regulations in the coming years.

    Scott
  • meg
    I was in a doctor office recently and forgot to ask the NP a question. I was having labs done and the girl said to tell the receptionist out front. Then she wanted to know what it was regarding so without thinking myself I was trying to tell her there in the waiting room infront of everyone. Then the nurse comes upfront and talks to me at the check in window infront of everyone in the front office and everyone in the waiting room. Not to mention how she talked to me like a was a dog but that is another issue I guess. Is this a violation of HIPPA?!
  • Tracy
    I was recently terminated from the technology department of a major health care organization. There was no good reason for the termination ("at will" employment) however, I suspect the unauthorized access of my medical information. I was on pain medication at the time of termination and suspect my employer found this out through snooping in my file.

    I know hospitals with EMR's can print a report showing who accessed one's medical information. Are the hospitals required to release that report just like they are required to release the actual medical records to a patient?
  • Scott, this is a tough question for me to answer. Have you tried to take a look at some healthcare law blogs out there? Some of the lawyers in the blogosphere might have a better answer. My guess is, though, that once terminated for cause such as a HIPAA violation it would be pretty hard to get hired back.
  • Scott
    I have a question. I work in radiology and another employee with whom I work with was taking xrays of a man that placed "something" in his rectum. This employee that I speak of showed other co-workers and ortho doctors his xrays, clearly they were not related to this case and a violation of HIPAA! He was terminated. He is trying to repeal the charge against him now. My boss is vouching for this employee (saying he was a great employee, suggesting that he should have just been suspended and not terminated) and there are rumors of talks he may have his job back. Is this possible? If he does get his job back who should I report to that is higher then HR? I don't want to be a "whistle-blower," but this isn't right, and I don't know who to ask. Please help.
  • macy
    Is discussing a past due bill/current collections in front of other patients at an urgent care center a violation of hipaa? It was stated that the bills will be going to collections and the person was going to no longer be seen. this was expressed by the UC nurse in the waiting room to the patient.
  • Good stuff, I "Stumbled" you. My DIGG account got messed up but I like Stumbling better anyway.
  • Mary
    @Shahid N. Shah

    Thanks for answering me. What kind of attorney would I look for as their speciality.
  • Mary, that's a tough case -- it involves some pretty complicated steps and you're probably better off asking an attorney. However, from what little I see in the comment if the medical information was sent to a person who didn't have permission to it (either by accident or on purpose) then there is a HIPAA violation.
  • Mary
    My daughter, who is 32 and has Down Syndrome, is a dependent on her stepmother's HMO insurance thru her employment in California. My daughter lives with me.

    In 2007 I wrote the insurance company and asked that all and any paperwork concerning my daughter's medical information be sent to our address. They e-mailed back and said since she was over 18 regardless of her disability, she would have to fill out and sign a release authorization form. They sent it, I filled it out saying all paperwork be sent to our address and specifically stated that the stepmother, although the provider, was not to receive any medical information at her home or work address. My daugher printed her name and we sent it back. A couple of weeks later we get a letter from the insurance company stating our request was received and processed.

    April 2009. My daughter has a minor medical problem and her doctor asked for authorization to have a surgeon look at my daughter. A few weeks passed and I had not heard anything so I asked my doctor what the status was. A couple of hours later I get a phone call and the nurse said the authorization had been sent to the wrong address (the stepmother's) but they got another copy and I could pick it up. When I did, the code was wrong and it said her diagnosis was in part due to her pregnancy. She has Down Syndrome and is not pregnant. Now her stepmother, father, and how ever many people they told or showede the authorization to thinks this.

    Strong case for Hipaa violation?
  • Betsy
    That was from a previous inquirer by Eileen. This nurse accessed the electronic medical record at her employment after the patient had a code blue incident in the cath lab. The code blue record was incomplete. She obtained the information to fill in the blanks on the record. This same nurse is now accused of HIPAA violation and facing potential termination.
  • Betsy, it sounds like there's a confusion on my part -- the original comment read "Why do nurses and doctors need access to social security numbers, checking account numbers, and other financial information to treat a patient?" You said it was not financial data -- can you elaborate as to why?
  • Betsy
    It was not financial data that was accessed. It was the admitting diagnosis in the history and physical. Apparrently IS is tracking how long the electronic record was access. But if the information was access for the purpose of filling out the code blue record, was that a violation?
  • If the organization is requiring the nurse, as part of his or her job, deal with SSNs and other PHI (protected health information) and PII (personally identifiable information) which includes viewing financial data then there's no problem with the nurse doing so. There's still a problem with the process, though. It's a hard problem to solve, but nurses shouldn't be given financial data and non-clinicians shouldn't be given clinical data.
  • Betsy
    any response?
  • Betsy
    a nurse accessed a patient's record for information to fill out paperwork record post code. the patient happened to be a physician. Nurse is now being accused of HIPPA violation. Is it?
  • It does seem like a violation from what you said -- there's no need for anyone to see financial information except for the billing department.
  • Eileen
    My husband went to the hospital with an emergency situation. We do not have health insurance. We were asked by the hospital to give them a financial statement, which we did. A nurse hovered over me until I had it completed and signed "for the financial department." The financial information was placed in front of my husband's chart for every one to see and there it remained for at least three days. The nurses kept commenting that we didn't have insurance and one even remarked that if we could afford a house, we should be able to pay. Finally a case worker came to discuss payment, and she left the financial statement in the chart. The next day my husband was discharged and our finances were still in the chart, and the next case worker seemed to think that it was fine to discuss payment arrangements in front of other patients. I find this to be an outrageous infringement upon our privacy. Is this a violation of HIPAA or other acts? Why do nurses and doctors need access to social security numbers, checking account numbers, and other financial information to treat a patient?
  • Janette -- I'm not a lawyer, but from the minimal facts of the case that you conveyed it seems it would not have been a HIPAA violation to give you an account number or a physician name especially since your group performed the actual service. What the insurance firm might be afraid of is that you may not have been authorized to call or that it might be a fraudulent call -- so, if they are being safe and doing the conveyance of the information through mail instead of phone it's not a bad idea although it's a little cumbersome for you.
  • Janette
    I have a question about HIPPA and violations.

    I work for a group of doctors. If I receive payment for a patient and we're unable to identify the patient as the eob doesn't have our patient account number or our physicians names on the eob. Can I call the insurance company to get the information I need to identify the patient with our account number?

    Example: Recently I received a copy of a check along with the eob. The eob information contained the patient name, her policy number, her date of birth, date of service and what services were rendered and the total payment.

    However it did NOT include our acct # or our physician name. When I called to get ONLY our patient acct# or physician name which would of been on the bill anyway. I was told this was a HIPPA violation and I need to fax in everything and wait until I receive a response.

    Can you clarify if this truly is a violation? How is it a violation if all I need is our acct#, I don't need anything else but to identify which doctor gets paid?
blog comments powered by Disqus

Previous post:

Next post: