1. Snooping in Healthcare Records
Accessing the health records of patients for reasons other than those permitted by the Privacy Rule – treatment, payment, and healthcare operations – is a violation of patient privacy.
Snooping on healthcare records of family, friends, neighbors, co-workers, and celebrities is one of the most common HIPAA violations committed by employees. When discovered, these violations usually result in termination of employment but could also result in criminal charges for the employee concerned. Financial penalties for healthcare organizations that have failed to prevent snooping are relatively uncommon, but they are possible as University of California Los Angeles Health System discovered.
University of California Los Angeles Health System was fined $865,000 for failing to restrict access to medical records. The healthcare provider was investigated following the discovery that a physician had accessed the medical records of celebrities and other patients without authorization. Dr. Huping Zhou accessed the records of patients without authorization 323 times after learning that he would soon be dismissed. Dr. Zhou became the first healthcare employee to be jailed for a HIPAA violation and was sentenced to four months in federal prison.
2. Failure to Perform an Organization-Wide Risk Analysis
The failure to perform an organization-wide risk analysis is one of the most common HIPAA violations to result in a financial penalty. If the risk analysis is not performed regularly, organizations will not be able to determine whether any vulnerabilities to the confidentiality, integrity, and availability of PHI exist. Risks are therefore likely to remain unaddressed, leaving the door wide open to hackers.
HIPAA settlements with covered entities for the failure to conduct an organization-wide risk assessment include:
Oregon Health & Science University– $2.7 million settlement for the lack of an enterprise-wide risk analysis.
Cardionet – $2.5 million settlement for an incomplete risk analysis and lack of risk management processes.
Cancer Care Group – $750,000 settlement for the failure to conduct an enterprise wide risk analysis.
Lahey Hospital and Medical Center – $850,000 settlement for the failure to
conduct an organization-wide risk assessment and other HIPAA violations.