Three California hospitals were fined by state health officials for HIPAA violations involving the medical records of a celebrity patient. Nearly two dozen medical workers at one 218-bed facility illegally accessed the records of the woman who gave birth to octuplets. The hospital was fined $250,000 and over 15 employees were fired or resigned. New HIPAA rules expanded enforcement and increased penalties for privacy violations.
4. HIPAA GONE BAD? This patient’s hospital was fined for doing the right thing- despite reporting the privacy breach and taking immediate disciplinary action. This patient’s hospital is one of few that has sophisticated monitoring technology in place to detect privacy violations.
11. LOS ANGELES, California (CNN) -- The hospital where a California woman gave birth to octuplets in January has been fined $250,000 by the state because nearly two dozen medical workers, including doctors, illegally viewed her medical records, according to state health officials. The California Department of Public Health on July 16 issued an "administrative penalty" of $187,500 after determining that KP Bellflower failed to prevent unauthorized access to the family's confidential patient medical information.
12. CNN News: “24 employees were investigated for violations of health care privacy law - HIPAA
13. I know that 100% prevention of these type of violations is impossible. Nurses need access to patient records. Setting access rights on patient information too tight could cost human lives. What if at the crucial moment in patient's treatment, a nurse is denied access to a patient file? Therefore, where you cannot 100% prevent access to information, you must monitor access to information. And if those people abuse their access privileges, you discipline them.
14.
15. A complete basketball buff, he played with the Kentucky Basketball Team way back in 1979. Vogue magazine has had only two men on their cover-this guy was one of them! Not only is he one of Hollywood’s greatest stars, but he also has a large heart. He offer $1 million towards hurricane relief. Further, he donated his Oscar gifts to raise money for Hurricane Katrina victims. Incidentally, one gift included a Tahitian pearl necklace! Hollywood calls him ‘Gorgeous George’. Dr. Doug Ross
16.
17. 40 Palisades Medical Center employees were investigated – and more than two dozen suspended without pay – for allegedly leaking Clooney's and girlfriend Sarah Larson's private medical records to the media.
18.
19.
20. She auditioned to play Allie Nelson in The Notebook, but lost the part to Rachel McAdams. At age seven she won $50,000 in a singing contest. She is from Kentwood Louisiana She has one Grammy award (won in 2005) and has six nominations: two nominations each in the 2000, 2001 and 2003 ceremonies. She also has had a total of 16 MTV Video Music Award nominations. She spent time in rehab- now back on tour- and not with the Ringling Brothers Biggest Influence: Madonna Birth Date: December 2, 1982 This mother of 2 shaved her head- and went to rehab
23. Best selling poster girl – of all time Red swimsuit Best known for her role in 1970’s television series Lost her battle with cancer this year Perhaps the enactment of _________Law, legislation making it illegal for medical staff, or others who may have access, to leak private medical information to the media, whether they are paid for that information or not, will be something good to come out of the anguish she has had to endure.
24. “Former Medical Center employee has been indicted for snooping in the medical records of the star and selling the information to tabloids” 1947-2009
25. "It is my personal belief that what Lawanda Jackson is most guilty of is being a pawn," Fawcett wrote. "She worked in a hospital system that did not provide strong enough deterrents to stop their employees from breaching their patient's medical records -- which made it all the easier for the tabloids to financially induce ... her to invade my privacy as well as the privacy of others."
26. Hospital Leak Goes Deeper Than Farrah AOL Filed Under: TV News (June 9) - In early April, an employee from the UCLA Medical Center was indicted after selling several celebrities' medical records, including Farrah Fawcett's, to the National Enquirer. But the leaking of information to tabloids may have started long before.
29. WASHINGTON – HHS has delegated the authority for the administration and enforcement of the HIPAA Security Rule to the Office for Civil Rights. The OCR's administration and enforcement of the security rule, which had previously been delegated to the Centers for Medicare and Medicaid Services, will eliminate duplication and improve the department's efforts to ensure that health information privacy is protected.
31. Included as part of the federal stimulus bill known as the American Recovery and Reinvestment Act of 2009 (“ARRA”) is Title XIII, the “Health Information Technology for Economic and Clinical Health Act” or the “HITECH Act.” The HITECH Act contains a sweeping expansion of HIPAA privacy and security regulations. These changes will affect more businesses in more ways than ever before.
32. BUSINESS ASSOCIATES ….an individual or corporate "person" that: performs on behalf of the SMC any function or activity involving the use or disclosure of PHI.
33. Pre-ARRA Rule: BAs were not directly subject to the HIPAA Privacy and Security Rules. Rather, their duties arose out of their BA Agreements. Revise BAAs to incorporate expanded Privacy and Security Rule obligations. Civil and criminal penalties now apply directly to BAs.
34. BREACH NOTIFICATION Notice Required to Individuals: Within 60 days of discovery of a breach, the Privacy Officer must provide notice via first class mail “Breach” generally is the unauthorized acquisition, access, use or disclosure of PHI that compromises the Privacy or Security of that information, excluding certain unintentional or inadvertent disclosures.
35. Pre-ARRA Rule: No affirmative obligation to notify individuals or HHS of a breach of Privacy or Security Rules. Rather, SMC’S obligation to mitigate any harm caused by a breach.
36. Notice to HHS & local media! Sept. 2009 In any case in which 500or more persons are affected by a breach, the covered entity must provide notice to major local media outlets
37. GREATER ENFORCEMENT! ADDITIONAL ENFORCEMENT POWER RELATED TO VIOLATIONS OF PRIVACY & SECURITY RULES *LAWS NOW REQUIRE HHS TO CONDUCT AUDITS
38. Health Information Technology American Recovery and Reinvestment Act (Recovery Act) Implementation Plan Office of the National Coordinator for Health Information Technology Funding Table Total Appropriated (Dollars in Millions) Privacy and Security* $ 24.285 National Institute of Standards and Technology (NIST) 20.000 Regional HIT Exchange 300.000 Unspecified 1,655.715 Total, Health Information Technology $ 2,000.000 *Note: This dollar figure, $24,285,000, includes an estimated $9.5 million for audits by the Office for Civil Rights and the Centers for Medicare & Medicaid Services.
39. HHS is required to distribute portions of the collected penalties to persons FINANCIAL INCENTIVE!!! Minimum per Violation Annual Maximum Maximum Penalties Tier A $25,000 Tier B $100,000 Tier C $250,000 Tier D $1,500,000 Minimum Penalties “Did not know” Tier A $100 “Reasonable cause” Tier B $1,000 “Willful neglect” Tier C $10,000 “Uncorrected violation” Tier D $50,000
40. ARRA: Provisions Changes Due August 2009: Breach notification provisions and PHI breach notification February 2010: Business Associates and Marketing August 2010: Minimum Necessary and Prohibition on sale of electronic health records/PHRs. January 2011: Accounting for Disclosures February 2011: Enforcement for ‘willful neglect’
44. BOTH TYPES HARM YOU IN DIFFERENT WAYS MEDICAL: CAN KILL IDENTITY: IS A HASSLE & CAN HURT FINANCIALLY
45. Inaccurate information can cause an unwarranted adverse action What if a patient were given a medication that reacted with a serious blood disorder because a thief’s diagnosis and treatment had intermingled with the real patient’s record, that stated - no allergies?
46. To detect identity thieves using personal information at your institution Preventing medical identity theft can save patients’ lives. FTC’s Red Flag Rules
47. Warning from consumer reporting agencies Suspicious documents Suspicious personal information Inconsistent with external information sources Documents provided for identification appear to be altered Fraud or active duty alert included in consumer report
48. PROVIDERS AND PLANS Healthcare providers such as SMC along with health plans may become secondary victims Providers may unknowingly submit incorrect precertification or claims and accompanying health information to health plans to justify treatment or payment for the health service rendered A provider may be forced to write off expenses related to the medical identity theft Hidden expenses incur in employees rescinding claims and working numerous hours with the victim to correct and mitigate further risk
Editor's Notes
I want everyone to be aware if of nothing else- the privacy provisions of HIPAA are serious and have significant consequences if they are violated.
Just because we they have access- employees must know the difference between right and wrong & make good judgmentsEven when it comes to viewing their own record! It’s not a violation to access a record if the employee has completed a release- it is part of our policy as well as a state law!
Farah Fosset, if she walked into our facility would be a VIP right-?We would probably be very cautious in protecting her PHI right? We would want to protect her privacy for obvious reasons- people knowing her PHI could pose a threat to her reputation, her seeking treatment could impact her future employment, we want to allow her the opportunity to discuss her condition or illness with who she chooses to, well it is the same for every patient that walks through the door- Just because they are not on the cover of a movie sleeve or tabloid- Mobile is a very small town when it comes to relationships- agree? I know that I have talked a lot about celebrities- but many of the same violations are happening here!I received a complaint from a patient- the basis of the complaint was that a family member who worked here looked into his recordThe employee thought it would be ok to look at a dear relatives chart- well that dear relative who he thought wouldn’t mind- did. The employee accessed the record – then proceeded to call relatives and update them of the condition of the patient who happened to have been admitted for influence of drugs when he came in- do you think the relative was happy when he got the phone call from concerned family members who he had told everyone that he was admitted for “stress” related condition?Our patients trust in the care we provide- they should be able to trust our ability to keep their information secure!
Pt enters the ER unconscious and is given blood type in his record that is not correct
