• Text Resize A A A
  • Print Print
  • Share Share on facebook Share on twitter Share

All Case Examples

Hospital Implements New Minimum Necessary Polices for Telephone Messages
Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient that detailed both her medical condition and treatment plan.  An OCR investigation also indicated that the confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To resolve the issues in this case, the hospital developed and implemented several new procedures.  One addressed the issue of minimum necessary information in telephone message content.  Employees were trained to provide only the minimum necessary information in messages, and were given specific direction as to what information could be left in a message. Employees also were trained to review registration information for patient contact directives regarding leaving messages.   The new procedures were incorporated into the standard staff privacy training, both as part of a refresher series and mandatory yearly compliance training.


HMO Revises Process to Obtain Valid Authorizations
Covered Entity: Health Plans / HMOs
Issue: Impermissible Uses and Disclosures; Authorizations

A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a disability insurance company without her authorization.  An OCR investigation indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests, even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the disclosed information.  

Back to Top


Mental Health Center Corrects Process for Providing Notice of Privacy Practices
Covered Entity: Outpatient Facility
Issue: Notice

A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient at the center.  In response to OCR’s investigation, the mental health center acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental health evaluation.  To resolve this matter, the mental health center revised its intake assessment policy and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment.  The acknowledgement form is now included in the intake package of forms.  The center also provided OCR with written assurance that all policy changes were brought to the attention of the staff involved in the daughter’s care and then disseminated to all staff affected by the policy change.

Back to Top


Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees
Covered Entity: Private Practice
Issue: Access

A patient alleged that a covered entity failed to provide him access to his medical records.  After OCR notified the entity of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records review fee” as well as an administrative fee.  The Privacy Rule permits the imposition of a reasonable cost-based fee that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the individual.  To resolve this matter, the covered entity refunded the $100.00 “records review fee.”

Back to Top


Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety
Covered Entity: General Hospital
Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety

After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition, and numerous quotes from the hospital about such unusual sporting accidents.  The hospital asserted that the disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy Rule’s standard for such actions.  The investigation also indicated that the disclosures did not meet the Rule’s de-identification standard and therefore were not permissible without the individual’s authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and to train all members of the hospital staff on the new policy.

Back to Top


Private Practice Implements Safeguards for Waiting Rooms
Covered Entity: Private Practice
Issue: Safeguards; Impermissible Uses and Disclosures

A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals.  Also, computer screens displaying patient information were easily visible to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to the communication of PHI.  The practice trained all staff on the newly developed policies and procedures.  In addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.  

Back to Top


Pharmacy Chain Enters into Business Associate Agreement with Law Firm
Covered Entity: Pharmacy Chain
Issue: Impermissible Uses and Disclosures; Business Associates

A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding impermissibly disclosed the PHI of a customer of the pharmacy chain.  OCR investigated the allegation and found no evidence that the law firm had impermissibly disclosed the customer’s PHI.  However, the investigation revealed that the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy Rule to ensure that PHI is appropriately safeguarded.  Without a properly executed agreement, a covered entity may not disclose PHI to its law firm.  To resolve the matter, OCR required the pharmacy chain and the law firm to enter into a business associate agreement.

Back to Top


Radiologist Revises Process for Workers Compensation Disclosures
Covered Entity: Health Care Provider
Issue: Impermissible Uses and Disclosures

A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to the patient’s employer. The claim included the patient’s test results.  However, the patient was not covered by worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in submitting the claim.  Among other corrective actions to resolve the specific issues in the case, the practice apologized to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on appropriate insurance claims submission; and revised its policies and procedures to require a specific request from worker’s compensation carriers before submitting test results to them.

Back to Top


Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books
Covered Entity: Pharmacies
Issue: Safeguards

A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health information in a manner so that individual protected health information was visible to the public at the pharmacy counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health information. OCR issued a written analysis and a demand for compliance. Among other corrective actions to resolve the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to safeguard the log books. Moreover, the entity was required to train of all staff on the revised policy. The chain acknowledged that log books contained protected health information and implemented the required changes.

Back to Top


Pharmacy Chain Revises Process for Disclosures to Law Enforcement
Covered Entity: Pharmacies
Issue: Impermissible Uses and Disclosures

A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected health information to comply with the Privacy Rule requirements, including that disclosures of protected health information to law enforcement only be made in response to written requests from law enforcement officials, unless state law requires otherwise. The revised policy was implemented in the chains' stores nationwide.

Back to Top


Large Medicaid Plan Corrects Vulnerability that Resulted in Dsiclosure to Non-BA Vendors
Covered Entity: Health Plans
Issue: Impermissible Uses and Disclosures; Safeguards

A municipal social service agency disclosed protected health information while processing Medicaid applications by sending consolidated data to computer vendors that were not business associates. Among other corrective actions to resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly disclosing protected health information only to its valid business associates and to train its staff on the new processes. The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction of the municipal social service agency.

Back to Top


Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons
Covered Entity: Health Plans
Issue: Safeguards

A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system, review all transactions for a six month period and correct all corrupted patient information.

Back to Top


Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers
Covered Entity: General Hospitals
Issue: Impermissible Uses and Disclosures; Authorizations

A state health sciences center disclosed protected health information to a complainant's employer without authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of protected health information to an employer. All staff was trained on the revised procedures.

Back to Top


National Pharmacy Chain Extends Protections for PHI on Insurance Cards
Covered Entity: Pharmacies
Issue: Impermissible Uses and Disclosures; Safeguards

A pharmacy employee placed a customer's insurance card in another customer's prescription bag. The pharmacy did not consider the customer's insurance card to be protected health information (PHI). OCR clarified that an individual's health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and retrained its staff. The revised policies are applicable to all individual stores in the pharmacy chain.

Back to Top


Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions
Covered Entity: Health Plans
Issue: Impermissible Uses and Disclosures

An employee of a major health insurer impermissibly disclosed the protected health information of one of its members without following the insurer's authorization and verification procedures. Among other corrective actions to resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and procedures and to mitigate the harm to the individual. In addition, the employee who made the disclosure was counseled and given a written warning.

Back to Top


Private Practice Revises Process to Provide Access to Records
Covered Entity: Private Practices
Issue: Access

A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's investigation determined that the private practice had relied on state regulations that permit a covered entity to provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the complainant a complete copy of the medical record.

Back to Top


Private Practice Revises Process to Provide Access to Records Regardless of Payment Source
Covered Entity: Private Practices
Issue: Access

At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source.

Back to Top


Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena
Covered Entity: General Hospital
Issue: Impermissible Uses and Disclosures

A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new procedures.

Back to Top


Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
Covered Entity: Outpatient Facility
Issue: Impermissible Uses and Disclosures

An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the outpatient facility to: revise its written policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written authorizations; retrain its entire staff on the new policies and procedures; log the disclosure of the patient's PHI for accounting purposes; and send the patient a letter apologizing for the impermissible disclosure.

Back to Top


Clinic Sanctions Supervisor for Accessing Employee Medical Record
Covered Entity: Outpatient Facility
Issue: Impermissible Use and Disclosure

A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's investigation confirmed that the use and disclosure of protected health information by the supervisor was not authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are not. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the supervisor's personnel file and the supervisor received additional training about the Privacy Rule. Further, the covered entity counseled the supervisor about appropriate use of the medical information of a subordinate.

Back to Top


Private Practice Provides Access to All Records, Regardless of Source
Covered Entity: Private Practice
Issue: Access

A private practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a covered entity to deny an individual's request for an amendment when the covered entity did not create that the portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access their protected health information. Among other steps to resolve the specific issue in this case, OCR required the private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards, patients have access to their record regardless of whether another entity created information contained within it.

Back to Top


State Hospital Sanctions Employees for Disclosing Patient's PHI
Covered Entity: Health Care Provider / General Hospital
Issue: Impermissible Disclosure

A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident, the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which included: documenting the employee record with a memo of the incident; one year probation; referral for peer review; and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the state attorney general's office entered into a monetary settlement agreement with the patient.

Back to Top


Dentist Revises Process to Safeguard Medical Alert PHI
Covered Entity: Health Care Provider
Issue: Safeguards, Minimum Necessary

An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the records. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized, and followed the meeting with a written apology.

Back to Top


Physician Revises Faxing Procedures to Safeguard PHI
Covered Entity: Health Care Provider
Issue: Safeguards

A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure received a written disciplinary warning, and both the employee and the physician apologized to the patient. To resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential communication for the intended recipient. The office informed all its employees of the incident and counseled staff on proper faxing procedures.

Back to Top


Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications
Covered Entity: General Hospital
Issue: Impermissible Disclosure; Confidential Communications

A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a message on the patient’s home phone answering machine, thereby failing to accommodate the patient’s request that communications of PHI be made only through her mobile or work phones.  In response, the hospital instituted a number of actions to achieve compliance with the Privacy Rule.  To resolve this matter to the satisfaction of OCR, the hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional specific training to staff members whose job duties included leaving messages for patients; and, revised the Department’s patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive communications of PHI by alternative means or at alternative locations.

Back to Top


Large Health System Restricts Provider's Use of Patient Records
Covered Entity: Multi-Hospital Healthcare Provider
Issue: Impermissible Use

A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s organized health care arrangement impermissibly accessed the medical records of her ex-husband.  In order to resolve this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing authority; and, provided the nurse practitioner with remedial Privacy Rule training.

Back to Top


Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance
Covered Entity: Private Practice
Issue: Access

A complainant alleged that a private practice physician denied her access to her medical records, because the complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the physician confirmed that the complainant was not given access to her medical record because of the outstanding balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether or not the individual has a balance due. Once the physician learned that he could not withhold access until payment was made, the physician provided the complainant a copy of her medical record.

Back to Top


Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Covered Entity: General Hospital
Issue: Impermissible Use and Disclosure

A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information (PHI) was impermissibly disclosed to her supervisor. OCR’s investigation revealed that: the hospital distributed an Operating Room (OR) schedule to employees via email; the hospital’s OR schedule contained information about the complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI, in this case, a hospital employee shared the OR scheduled with the complainant’s supervisor, who was not part of the employee's treatment team, and did not need the information for payment, health care operations, or other permissible purposes. The hospital disciplined and retrained the employee who made the impermissible disclosure. Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the OR schedule. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who have “a need to know.”

Back to Top


Private Practice Ceases Conditioning of Compliance with the Privacy Rule
Covered Entity: Private Practice
Issue: Conditioning Compliance with the Privacy Rule

A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence. OCR required the covered entity to cease using the patient agreement that conditioned the entity’s compliance with the Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.

Back to Top


Mental Health Center Provides Access after Denial
Covered Entity: Mental Health Center
Issue: Access, Authorization

The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto insurance company and refused to provide her with a copy of her medical records.  The Center provided OCR with a valid authorization, signed by the complainant, permitting the release of information to the auto insurance company.  OCR also determined that the Center denied the complainant's request for access because her therapists believed providing the records to her would likely cause her substantial harm. The Center did not, however, provide the complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule.  Among other corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records.

Back to Top


Mental Health Center Provides Access and Revises Policies and Procedures
Covered Entity: Mental Health Center
Issue: Access, Restrictions

The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did not provide her with a copy of her records.  The Privacy Rule requires covered entities to provide individuals with access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement.  Although the Center gave the complainant the opportunity to review her medical record, this did not negate the Center’s obligation to provide the complainant with a copy of her records.  Among other corrective action taken, the Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure that it provides timely access to all individuals.

Back to Top


Private Practice Revises Policies and Procedures Addressing Activities Preparatory to Research
Covered Entity: Private Practice
Issue: Impermissible Disclosure-Research

A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients and diagnostic codes to a contract research organization to telephone patients for recruitment purposes.  The disclosure was not consistent with documents approved by the Institutional Review Board (IRB). The private practice maintained that the disclosure to the contract research organization was permissible as a review preparatory to research.  Activities considered “preparatory to research” include: preparing a research protocol; developing a research hypothesis; and identifying prospective research participants.  Contacting individuals to participate in a research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research and is not an activity preparatory to research.  To remedy this situation, the private practice revised its policies and procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and procedures.  Under the revised policies and procedures, the practice may use and disclose PHI for research purposes, including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a Privacy Board.

Back to Top




Content created by Office for Civil Rights (OCR)
Content last reviewed on July 26, 2013
Back to Top