An official website of the United States government

HHS </> HIPAA Home </hipaa/index.html> For Professionals </hipaa/for-professionals/index.html> HIPAA Compliance a…

Navigate to:

All Case Examples

Hospital Implements New Minimum Necessary Polices for Telephone Messages

Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications

A hospital employee did not observe minimum necessary requirements when she left a telephone message with the
daughter of a patient that detailed both her medical condition and treatment plan. An OCR investigation also
indicated that the confidential communications requirements were not followed, as the employee left the message at
the patient’s home telephone number, despite the patient’s instructions to contact her through her work number. To
resolve the issues in this case, the hospital developed and implemented several new procedures. One addressed the
issue of minimum necessary information in telephone message content. Employees were trained to provide only the
minimum necessary information in messages, and were given specific direction as to what information could be left in
a message. Employees also were trained to review registration information for patient contact directives regarding
leaving messages. The new procedures were incorporated into the standard staff privacy training, both as part of a
refresher series and mandatory yearly compliance training.

HMO Revises Process to Obtain Valid Authorizations

Covered Entity: Health Plans / HMOs
Issue: Impermissible Uses and Disclosures; Authorizations

A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire medical record to a
disability insurance company without her authorization. An OCR investigation indicated that the form the HMO relied
on to make the disclosure was not a valid authorization under the Privacy Rule. Among other corrective actions to
resolve the specific issues in the case, the HMO created a new HIPAA-compliant authorization form and implemented a
new policy that directs staff to obtain patient signatures on these forms before responding to any disclosure requests,
even if patients bring in their own “authorization” form. The new authorization specifies what records and/or portions
of the files will be disclosed and the respective authorization will be kept in the patient’s record, together with the
disclosed information.
Back to Top

Mental Health Center Corrects Process for Providing Notice of Privacy Practices
Covered Entity: Outpatient Facility
Issue: Notice

A mental health center did not provide a notice of privacy practices (notice) to a father or his minor daughter, a patient
at the center. In response to OCR’s investigation, the mental health center acknowledged that it had not provided the
complainant and his daughter with a notice prior to her mental health evaluation. To resolve this matter, the mental
health center revised its intake assessment policy and procedures to specify that the notice will be provided and the
clinician will attempt to obtain a signed acknowledgement of receipt of the notice prior to the intake assessment. The
acknowledgement form is now included in the intake package of forms. The center also provided OCR with written
assurance that all policy changes were brought to the attention of the staff involved in the daughter’s care and then
disseminated to all staff affected by the policy change.

Back to Top

Entity Rescinds Improper Charges for Medical Record Copies to Reflect Reasonable, Cost-Based Fees
Covered Entity: Private Practice
Issue: Access

A patient alleged that a covered entity failed to provide him access to his medical records. After OCR notified the entity
of the allegation, the entity released the complainant’s medical records but also billed him $100.00 for a “records
review fee” as well as an administrative fee. The Privacy Rule permits the imposition of a reasonable cost-based fee
that includes only the cost of copying and postage and preparing an explanation or summary if agreed to by the
individual. To resolve this matter, the covered entity refunded the $100.00 “records review fee.”

Back to Top

Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety

Covered Entity: General Hospital
Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health or Safety

After treating a patient injured in a rather unusual sporting accident, the hospital released to the local media, without
the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the complainant’s medical
condition. The local newspaper then featured on its front page the individual’s x-ray and an article that included the
date of the accident, the location of the accident, the patient’s gender, a description of patient’s medical condition,
and numerous quotes from the hospital about such unusual sporting accidents. The hospital asserted that the
disclosures were made to avert a serious threat to health or safety; however, OCR’s investigation indicated that the
disclosures did not meet the Privacy Rule’s standard for such actions. The investigation also indicated that the
disclosures did not meet the Rule’s de-identification standard and therefore were not permissible without the
individual’s authorization. Among other corrective actions to resolve the specific issues in the case, OCR required the
hospital to develop and implement a policy regarding disclosures related to serious threats to health and safety, and
to train all members of the hospital staff on the new policy.
Back to Top

Private Practice Implements Safeguards for Waiting Rooms

Covered Entity: Private Practice
Issue: Safeguards; Impermissible Uses and Disclosures

A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby
disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible
to patients. Among other corrective actions to resolve the specific issues in the case, OCR required the provider to
develop and implement policies and procedures regarding appropriate administrative and physical safeguards related
to the communication of PHI. The practice trained all staff on the newly developed policies and procedures. In
addition, OCR required the practice to reposition its computer monitors to prevent patients from viewing information
on the screens, and the practice installed computer monitor privacy screens to prevent impermissible disclosures.

Back to Top

Pharmacy Chain Enters into Business Associate Agreement with Law Firm
Covered Entity: Pharmacy Chain
Issue: Impermissible Uses and Disclosures; Business Associates

A complaint alleged that a law firm working on behalf of a pharmacy chain in an administrative proceeding
impermissibly disclosed the PHI of a customer of the pharmacy chain. OCR investigated the allegation and found no
evidence that the law firm had impermissibly disclosed the customer’s PHI. However, the investigation revealed that
the pharmacy chain and the law firm had not entered into a Business Associate Agreement, as required by the Privacy
Rule to ensure that PHI is appropriately safeguarded. Without a properly executed agreement, a covered entity may
not disclose PHI to its law firm. To resolve the matter, OCR required the pharmacy chain and the law firm to enter into
a business associate agreement.

Back to Top

Radiologist Revises Process for Workers Compensation Disclosures

Covered Entity: Health Care Provider
Issue: Impermissible Uses and Disclosures

A radiology practice that interpreted a hospital patient’s imaging tests submitted a worker’s compensation claim to
the patient’s employer. The claim included the patient’s test results. However, the patient was not covered by
worker’s compensation and had not identified worker’s compensation as responsible for payment. OCR’s investigation
revealed that the radiology practice had relied upon incorrect billing information from the treating hospital in
submitting the claim. Among other corrective actions to resolve the specific issues in the case, the practice apologized
to the patient and sanctioned the employee responsible for the incident; trained all billing and coding staff on
appropriate insurance claims submission; and revised its policies and procedures to require a specific request from
worker’s compensation carriers before submitting test results to them.

Back to Top
Pharmacy Chain Institutes New Safeguards for PHI in Pseudoephedrine Log Books
Covered Entity: Pharmacies
Issue: Safeguards

A grocery store based pharmacy chain maintained pseudoephedrine log books containing protected health
information in a manner so that individual protected health information was visible to the public at the pharmacy
counter. Initially, the pharmacy chain refused to acknowledge that the log books contained protected health
information. OCR issued a written analysis and a demand for compliance. Among other corrective actions to resolve
the specific issues in the case, OCR required that the pharmacy chain implement national policies and procedures to
safeguard the log books. Moreover, the entity was required to train of all staff on the revised policy. The chain
acknowledged that log books contained protected health information and implemented the required changes.

Back to Top

Pharmacy Chain Revises Process for Disclosures to Law Enforcement

Covered Entity: Pharmacies
Issue: Impermissible Uses and Disclosures

A chain pharmacy disclosed protected health information to municipal law enforcement officials in a manner that did
not conform to the provisions of the Privacy Rule. Among other corrective actions to resolve the specific issues in the
case, OCR required this chain to revise its national policy regarding law enforcement's access to patient protected
health information to comply with the Privacy Rule requirements, including that disclosures of protected health
information to law enforcement only be made in response to written requests from law enforcement officials, unless
state law requires otherwise. The revised policy was implemented in the chains' stores nationwide.

Back to Top

Large Medicaid Plan Corrects Vulnerability that Resulted in Dsiclosure to Non-BA Vendors
Covered Entity: Health Plans
Issue: Impermissible Uses and Disclosures; Safeguards

A municipal social service agency disclosed protected health information while processing Medicaid applications by
sending consolidated data to computer vendors that were not business associates. Among other corrective actions to
resolve the specific issues in the case, OCR required that the social service agency develop procedures for properly
disclosing protected health information only to its valid business associates and to train its staff on the new processes.
The new procedures were instituted in Medicaid offices and independent health care programs under the jurisdiction
of the municipal social service agency.

Back to Top

Health Plan Corrects Computer Flaw that Caused Mailing of EOBs to Wrong Persons
Covered Entity: Health Plans
Issue: Safeguards
A national health maintenance organization sent explanation of benefits (EOB) by mail to a complainant's
unauthorized family member. OCR's investigation determined that a flaw in the health plan's computer system put the
protected health information of approximately 2,000 families at risk of disclosure in violation of the Rule. Among the
corrective actions required to resolve this case, OCR required the insurer to correct the flaw in its computer system,
review all transactions for a six month period and correct all corrupted patient information.

Back to Top

Health Sciences Center Revises Process to Prevent Unauthorized Disclosures to Employers

Covered Entity: General Hospitals
Issue: Impermissible Uses and Disclosures; Authorizations

A state health sciences center disclosed protected health information to a complainant's employer without
authorization. Among other corrective actions to resolve the specific issues in the case, including mitigation of harm to
the complainant, OCR required the Center to revise its procedures regarding patient authorization prior to release of
protected health information to an employer. All staff was trained on the revised procedures.

Back to Top

National Pharmacy Chain Extends Protections for PHI on Insurance Cards

Covered Entity: Pharmacies
Issue: Impermissible Uses and Disclosures; Safeguards

A pharmacy employee placed a customer's insurance card in another customer's prescription bag. The pharmacy did
not consider the customer's insurance card to be protected health information (PHI). OCR clarified that an individual's
health insurance card meets the statutory definition of PHI and, as such, needs to be safeguarded. Among other
corrective actions to resolve the specific issues in the case, the pharmacy revised its policies regarding PHI and
retrained its staff. The revised policies are applicable to all individual stores in the pharmacy chain.

Back to Top

Health Plan Corrects Impermissible Disclosure of PHI through Training, Mitigation, and Sanctions
Covered Entity: Health Plans
Issue: Impermissible Uses and Disclosures

An employee of a major health insurer impermissibly disclosed the protected health information of one of its
members without following the insurer's authorization and verification procedures. Among other corrective actions to
resolve the specific issues in the case, OCR required the health insurer to train its staff on the applicable policies and
procedures and to mitigate the harm to the individual. In addition, the employee who made the disclosure was
counseled and given a written warning.

Back to Top
Private Practice Revises Process to Provide Access to Records
Covered Entity: Private Practices
Issue: Access

A private practice failed to honor an individual's request for a complete copy of her minor son's medical record. OCR's
investigation determined that the private practice had relied on state regulations that permit a covered entity to
provide a summary of the record. OCR provided technical assistance to the covered entity, explaining that the Privacy
Rule permits a covered entity to provide a summary of patient records rather than the full record only if the requesting
individual agrees in advance to such a summary or explanation. Among other corrective actions to resolve the specific
issues in the case, OCR required the covered entity to revise its policy. In addition, the covered entity forwarded the
complainant a complete copy of the medical record.

Back to Top

Private Practice Revises Process to Provide Access to Records Regardless of Payment Source
Covered Entity: Private Practices
Issue: Access

At the direction of an insurance company that had requested an independent medical exam of an individual, a private
medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied
the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to
resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures
regarding access requests to reflect the individual's right of access regardless of payment source.

Back to Top

Public Hospital Corrects Impermissible Disclosure of PHI in Response to a Subpoena

Covered Entity: General Hospital
Issue: Impermissible Uses and Disclosures

A public hospital, in response to a subpoena (not accompanied by a court order), impermissibly disclosed the
protected health information (PHI) of one of its patients. Contrary to the Privacy Rule protections for information
sought for administrative or judicial proceedings, the hospital failed to determine that reasonable efforts had been
made to insure that the individual whose PHI was being sought received notice of the request and/or failed to receive
satisfactory assurance that the party seeking the information made reasonable efforts to secure a qualified protective
order. Among other corrective actions to remedy this situation, OCR required that the hospital revise its subpoena
processing procedures. Under the revised process, if a subpoena is received that does not meet the requirements of
the Privacy Rule, the information is not disclosed; instead, the hospital contacts the party seeking the subpoena and
the requirements of the Privacy Rule are explained. The hospital also trained relevant staff members on the new
procedures.

Back to Top
Outpatient Surgical Facility Corrects Privacy Procedure in Research Recruitment
Covered Entity: Outpatient Facility
Issue: Impermissible Uses and Disclosures

An outpatient surgical facility disclosed a patient's protected health information (PHI) to a research entity for
recruitment purposes without the patient's authorization or an Institutional Review Board (IRB) or privacy-board-
approved waiver of authorization. The outpatient facility reportedly believed that such disclosures were permitted by
the Privacy Rule. OCR provided technical assistance to the covered entity regarding the requirement that covered
entities seeking to disclose PHI for research recruitment purposes must obtain either a valid patient authorization or
an Institutional Review Board (IRB) or privacy-board-approved alteration to or waiver of authorization. Among other
corrective actions to resolve the specific issues in the case, OCR required the outpatient facility to: revise its written
policies and procedures regarding disclosures of PHI for research recruitment purposes to require valid written
authorizations; retrain its entire staff on the new policies and procedures; log the disclosure of the patient's PHI for
accounting purposes; and send the patient a letter apologizing for the impermissible disclosure.

Back to Top

Clinic Sanctions Supervisor for Accessing Employee Medical Record

Covered Entity: Outpatient Facility
Issue: Impermissible Use and Disclosure

A hospital employee's supervisor accessed, examined, and disclosed an employee's medical record. OCR's
investigation confirmed that the use and disclosure of protected health information by the supervisor was not
authorized by the employee and was not otherwise permitted by the Privacy Rule. An employee's medical record is
protected by the Privacy Rule, even though employment records held by a covered entity in its role as employer are
not. Among other corrective actions to resolve the specific issues in the case, a letter of reprimand was placed in the
supervisor's personnel file and the supervisor received additional training about the Privacy Rule. Further, the covered
entity counseled the supervisor about appropriate use of the medical information of a subordinate.

Back to Top

Private Practice Provides Access to All Records, Regardless of Source

Covered Entity: Private Practice
Issue: Access

A private practice denied an individual access to his records on the basis that a portion of the individual's record was
created by a physician not associated with the practice. While the amendment provisions of the Privacy Rule permit a
covered entity to deny an individual's request for an amendment when the covered entity did not create that the
portion of the record subject to the request for amendment, no similar provision limits individuals' rights to access
their protected health information. Among other steps to resolve the specific issue in this case, OCR required the
private practice to revise its access policy and procedures to affirm that, consistent with the Privacy Rule standards,
patients have access to their record regardless of whether another entity created information contained within it.

Back to Top
State Hospital Sanctions Employees for Disclosing Patient's PHI
Covered Entity: Health Care Provider / General Hospital
Issue: Impermissible Disclosure

A nurse and an orderly at a state hospital discussed the HIV/AIDS status of a patient and the patient's spouse within
earshot of other patients without making reasonable efforts to prevent the disclosure. Upon learning of the incident,
the hospital placed both employees on leave; the orderly resigned his employment shortly thereafter. Among other
actions taken to satisfactorily resolve this matter, the hospital took further disciplinary action with the nurse, which
included: documenting the employee record with a memo of the incident; one year probation; referral for peer review;
and further training on HIPAA Privacy. In addition to corrective action taken under the Privacy Rule, the state attorney
general's office entered into a monetary settlement agreement with the patient.

Back to Top

Dentist Revises Process to Safeguard Medical Alert PHI

Covered Entity: Health Care Provider
Issue: Safeguards, Minimum Necessary

An OCR investigation confirmed allegations that a dental practice flagged some of its medical records with a red
sticker with the word "AIDS" on the outside cover, and that records were handled so that other patients and staff
without need to know could read the sticker. When notified of the complaint filed with OCR, the dental practice
immediately removed the red AIDS sticker from the complainant's file. To resolve this matter, OCR also required the
practice to revise its policies and operating procedures and to move medical alert stickers to the inside cover of the
records. Further, the covered entity's Privacy Officer and other representatives met with the patient and apologized,
and followed the meeting with a written apology.

Back to Top

Physician Revises Faxing Procedures to Safeguard PHI

Covered Entity: Health Care Provider
Issue: Safeguards

A doctor's office disclosed a patient's HIV status when the office mistakenly faxed medical records to the patient's
place of employment instead of to the patient's new health care provider. The employee responsible for the disclosure
received a written disciplinary warning, and both the employee and the physician apologized to the patient. To
resolve this matter, OCR also required the practice to revise the office's fax cover page to underscore a confidential
communication for the intended recipient. The office informed all its employees of the incident and counseled staff on
proper faxing procedures.

Back to Top

Large Provider Revises Patient Contact Process to Reflect Requests for Confidential Communications
Covered Entity: General Hospital
Issue: Impermissible Disclosure; Confidential Communications
A patient alleged that a general hospital disclosed protected health information when a hospital staff person left a
message on the patient’s home phone answering machine, thereby failing to accommodate the patient’s request that
communications of PHI be made only through her mobile or work phones. In response, the hospital instituted a
number of actions to achieve compliance with the Privacy Rule. To resolve this matter to the satisfaction of OCR, the
hospital: retrained an entire Department with regard to the requirements of the Privacy Rule; provided additional
specific training to staff members whose job duties included leaving messages for patients; and, revised the
Department’s patient privacy policy to clarify patient rights to accommodation of reasonable requests to receive
communications of PHI by alternative means or at alternative locations.

Back to Top

Large Health System Restricts Provider's Use of Patient Records

Covered Entity: Multi-Hospital Healthcare Provider
Issue: Impermissible Use

A nurse practitioner who has privileges at a multi-hospital health care system and who is part of the system’s
organized health care arrangement impermissibly accessed the medical records of her ex-husband. In order to resolve
this matter to OCR’s satisfaction and to prevent a recurrence, the covered entity: terminated the nurse practitioner’s
access to its electronic records system; reported the nurse practitioner’s conduct to the appropriate licensing
authority; and, provided the nurse practitioner with remedial Privacy Rule training.

Back to Top

Private Practice Revises Access Procedure to Provide Access Despite an Outstanding Balance
Covered Entity: Private Practice
Issue: Access

A complainant alleged that a private practice physician denied her access to her medical records, because the
complainant had an outstanding balance for services the physician had provided. During OCR’s investigation, the
physician confirmed that the complainant was not given access to her medical record because of the outstanding
balance. OCR provided technical assistance to the physician, explaining that, in general, the Privacy Rule requires that
a covered entity provide an individual access to their medical record within 30 days of a request, regardless of whether
or not the individual has a balance due. Once the physician learned that he could not withhold access until payment
was made, the physician provided the complainant a copy of her medical record.

Back to Top

Hospital Revises Email Distribution as a Result of a Disclosure to Persons Without a "Need to Know"
Covered Entity: General Hospital
Issue: Impermissible Use and Disclosure

A complainant, who was both a patient and an employee of the hospital, alleged that her protected health information
(PHI) was impermissibly disclosed to her supervisor. OCR’s investigation revealed that: the hospital distributed an
Operating Room (OR) schedule to employees via email; the hospital’s OR schedule contained information about the
complainant’s upcoming surgery. While the Privacy Rule may permit the disclosure of an OR schedule containing PHI,
in this case, a hospital employee shared the OR scheduled with the complainant’s supervisor, who was not part of the
employee's treatment team, and did not need the information for payment, health care operations, or other
permissible purposes. The hospital disciplined and retrained the employee who made the impermissible disclosure.
Additionally, in order to prevent similar incidents, the hospital undertook a complete review of the distribution of the
OR schedule. As a result of this review, the hospital revised the distribution of the OR schedule, limiting it to those who
have “a need to know.”

Back to Top

Private Practice Ceases Conditioning of Compliance with the Privacy Rule

Covered Entity: Private Practice
Issue: Conditioning Compliance with the Privacy Rule

A physician practice requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain
Privacy.” The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the
physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule. A patient’s
rights under the Privacy Rule are not contingent on the patient’s agreement with a covered entity. A covered entity’s
obligation to comply with all requirements of the Privacy Rule cannot be conditioned on the patient’s silence. OCR
required the covered entity to cease using the patient agreement that conditioned the entity’s compliance with the
Privacy Rule. Additionally, OCR required the covered entity to revise its Notice of Privacy Practices.

Back to Top

Mental Health Center Provides Access after Denial

Covered Entity: Mental Health Center
Issue: Access, Authorization

The complainant alleged that a mental health center (the "Center") improperly provided her records to her auto
insurance company and refused to provide her with a copy of her medical records. The Center provided OCR with a
valid authorization, signed by the complainant, permitting the release of information to the auto insurance company.
OCR also determined that the Center denied the complainant's request for access because her therapists believed
providing the records to her would likely cause her substantial harm. The Center did not, however, provide the
complainant with the opportunity to have the denial reviewed, as required by the Privacy Rule. Among other
corrective action taken to resolve this issue, the Center provided the complainant with a copy of her records.

Back to Top

Mental Health Center Provides Access and Revises Policies and Procedures
Covered Entity: Mental Health Center
Issue: Access, Restrictions

The complainant alleged that a mental health center (the "Center") refused to provide her with a copy of her medical
record, including psychotherapy notes. OCR’s investigation revealed that the Center provided the complainant with an
opportunity to review her medical record, including the psychotherapy notes, with her therapist, but the Center did
not provide her with a copy of her records. The Privacy Rule requires covered entities to provide individuals with
access to their medical records; however, the Privacy Rule exempts psychotherapy notes from this requirement.
Although the Center gave the complainant the opportunity to review her medical record, this did not negate the
Center’s obligation to provide the complainant with a copy of her records. Among other corrective action taken, the
Center provided the complainant with a copy of her medical record and revised its policies and procedures to ensure
that it provides timely access to all individuals.

Back to Top

Private Practice Revises Policies and Procedures Addressing Activities Preparatory to Research
Covered Entity: Private Practice
Issue: Impermissible Disclosure-Research

A private practice physician who was the principal investigator of a clinical research study disclosed a list of patients
and diagnostic codes to a contract research organization to telephone patients for recruitment purposes. The
disclosure was not consistent with documents approved by the Institutional Review Board (IRB). The private practice
maintained that the disclosure to the contract research organization was permissible as a review preparatory to
research. Activities considered “preparatory to research” include: preparing a research protocol; developing a
research hypothesis; and identifying prospective research participants. Contacting individuals to participate in a
research study is a use or disclosure of protected health information (PHI) for recruitment, as it is part of the research
and is not an activity preparatory to research. To remedy this situation, the private practice revised its policies and
procedures regarding the disclosure of PHI and trained all physicians and staff members on the new policies and
procedures. Under the revised policies and procedures, the practice may use and disclose PHI for research purposes,
including recruitment, only if a valid authorization is obtained from each individual or if the covered entity obtains
documentation that an alteration to or a waiver of the authorization requirement has been approved by an IRB or a
Privacy Board.

Case Examples

All Case Examples </ocr/privacy/hipaa/enforcement/examples/allcases.html>

Case Examples by Covered Entity </hipaa/for-professionals/compliance-enforcement/examples/by-entity/index.html>

Case Examples by Issue </hipaa/for-professionals/compliance-enforcement/examples/by-issue/index.html>

Content created by Office for Civil Rights (OCR)

Content last reviewed June 7, 2017