LEGAL ISSUE IN INFORMATION SECURITY
HIPAA Case Examples
© 2015 by Jones & Bartlett Learning, LLC, an Ascend Learning Company. All rights reserved. www.jblearning.com
This handout is a reprint of several HIPAA case examples published by the U.S. Department of
Health and Human Services (http://www.hhs.gov).
Source: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html
URL Last Verified: 2014-05-16
HIPAA Case Examples
Hospital Implements New Polices for Telephone Messages
Covered Entity: General Hospital
Issue: Minimum Necessary; Confidential Communications
A hospital employee did not observe minimum necessary requirements when she left a telephone
message with the daughter of a patient that detailed both her medical condition and treatment plan. An
OCR investigation also indicated that the confidential communications requirements were not followed, as
the employee left the message at the patient’s home telephone number, despite the patient’s instructions
to contact her through her work number. To resolve the issues in this case, the hospital developed and
implemented several new procedures. One addressed the issue of minimum necessary information in
telephone message content. Employees were trained to provide only the minimum necessary information
in messages, and were given specific direction as to what information could be left in a message.
Employees also were trained to review registration information for patient contact directives regarding
leaving messages. The new procedures were incorporated into the standard staff privacy training, both
as part of a refresher series and mandatory yearly compliance training.
HMO Revises Process to Obtain Valid Authorizations
Covered Entity: Health Plans / HMOs
Issue: Impermissible Uses and Disclosures; Authorizations
A complaint alleged that an HMO impermissibly disclosed a member’s PHI, when it sent her entire
medical record to a disability insurance company without her authorization. An OCR investigation
indicated that the form the HMO relied on to make the disclosure was not a valid authorization under the
Privacy Rule. Among other corrective actions to resolve the specific issues in the case, the HMO created
a new HIPAA-compliant authorization form and implemented a new policy that directs staff to obtain
patient signatures on these forms before responding to any disclosure requests, even if patients bring in
their own “authorization” form. The new authorization specifies what records and/or portions of the files
will be disclosed and the respective authorization will be kept in the patient’s record, together with the
disclosed information.
Mental Health Center Corrects Process for Providing Notice of Privacy Practices
Covered Entity: Outpatient Facility
Issue: Notice
Page 2
A mental health center did not provide a notice of privacy practices (notice) to a father or his minor
daughter, a patient at the center. In response to OCR’s investigation, the mental health center
acknowledged that it had not provided the complainant and his daughter with a notice prior to her mental
health evaluation. To resolve this matter, the mental health center revised its intake assessment policy
and procedures to specify that the notice will be provided and the clinician will attempt to obtain a signed
acknowledgement of receipt of the notice prior to the intake assessment. The acknowledgement form is
now included in the intake package of forms. The center also provided OCR with written assurance that
all policy changes were brought to the attention of the staff involved in the daughter’s care and then
disseminated to all staff affected by the policy change.
Entity Rescinds Improper Billing for Medical Record Copies
Covered Entity: Private Practice
Issue: Access
A patient alleged that a covered entity failed to provide him access to his medical records. After OCR
notified the entity of the allegation, the entity released the complainant’s medical records but also billed
him $100.00 for a “records review fee” as well as an administrative fee. The Privacy Rule permits the
imposition of a reasonable cost-based fee that includes only the cost of copying and postage and
preparing an explanation or summary if agreed to by the individual. To resolve this matter, the covered
entity refunded the $100.00 “records review fee.”
Hospital Issues Guidelines Regarding Disclosures to Avert Threats to Health or Safety
Covered Entity: General Hospital
Issue: Safeguards; Impermissible Uses and Disclosures; Disclosures to Avert a Serious Threat to Health
or Safety
After treating a patient injured in a rather unusual sporting accident, the hospital released to the local
media, without the patient’s authorization, copies of the patient’s skull x-ray as well as a description of the
complainant’s medical condition. The local newspaper then featured on its front page the individual’s x-
ray and an article that included the date of the accident, the location of the accident, the patient’s gender,
a description of patient’s medical condition, and numerous quotes from the hospital about such unusual
sporting accidents. The hospital asserted that the disclosures were made to avert a serious threat to
health or safety; however, OCR’s investigation indicated that the disclosures did not meet the Privacy
Rule’s standard for such actions. The investigation also indicated that the disclosures did not meet the
Rule’s de-identification standard and therefore were not permissible without the individual’s authorization.
Page 3
Among other corrective actions to resolve the specific issues in the case, OCR required the hospital to
develop and implement a policy regarding disclosures related to serious threats to health and safety, and
to train all members of the hospital staff on the new policy.
Page 4