Examples of Penalties for Breach

Breach of minimum necessary policies for telephone messages.

Case: A hospital employee did not observe minimum necessary requirements when she left a telephone message with the daughter of a patient detailing the mother’s medical condition and treatment plan. An OCR investigation indicated that confidential communications requirements were not followed, as the employee left the message at the patient’s home telephone number, despite the patient’s instructions to contact her through her work number.


The hospital developed and implemented several new procedures:

  • Addressed the issue of minimum necessary information in telephone message content.
  • Employees were trained to review registration information for patient contact directives regarding leaving messages. These new procedures were incorporated into the standard staff privacy training.

Breach of private practice waiting rooms privacy policies.

Case: A staff member of a medical practice discussed HIV testing procedures with a patient in the waiting room, thereby disclosing PHI to several other individuals. Also, computer screens displaying patient information were easily visible to patients.


  • OCR required the provider to develop and implement policies and procedures regarding appropriate administrative and physical safeguards related to communication of PHI.
  • The practice retrained staff on newly developed policies and procedures.
  • OCR required the practice to reposition its computer monitors to prevent patients from viewing information on the screens, and to install computer monitor privacy screens.

Breach of impermissible disclosure of PHI in response to subpoena.

Case: A public hospital responded to a subpoena without a court order and impermissibly disclosed the PHI of one of its patients. Contrary to the HIPAA Privacy Rule protections for information sought for administrative or judicial proceedings, the hospital failed to ensure that the individual whose PHI was being sought, received notice of the request and thus did not receive satisfactory assurance that the party seeking information made reasonable efforts to secure a qualified protective order.


OCR required that the hospital revise its subpoena processing procedures to read: if a subpoena is received that does not meet the requirements of the HIPAA Privacy Rule, the information is not disclosed; instead, the hospital must contact the party seeking the subpoena to explain requirements of the HIPAA Privacy Rule.

The hospital must retrain relevant staff members on the new procedures.

All-in-One HIPAA Compliance
and Risk Management Solution


Why HIPAA Compliance Training is Important

By |October 21st, 2015|Categories: HIPAA Training|

Why HIPAA Compliance Training is Important HIPAA Compliance is an ongoing process and one of the most important aspects of it is making sure that your staff members participate in compliance training and awareness [...]

Comments Off on Why HIPAA Compliance Training is Important

HIPAA Rules: Back to the Basics

By |October 7th, 2015|Categories: HIPAA Privacy|

HIPAA Rules: Back to the Basics The Health Insurance Portability and Accountability Act (HIPAA) is a complex piece of legislation that has undergone many additions and revisions since it was signed into law in [...]

Comments Off on HIPAA Rules: Back to the Basics

HIPAA Privacy Rule: Reviewing the Fundamentals

By |October 7th, 2015|Categories: HIPAA Compliance Requirements, HIPAA Privacy, Notice of Privacy Practices|

HIPPA Privacy Rule: Reviewing the Fundamentals Almost 20 years ago, the Health Insurance Portability and Accountability Act was signed into law to provide for the continuity of individuals’ health insurance coverage and to increase [...]

Comments Off on HIPAA Privacy Rule: Reviewing the Fundamentals