The examples below are clear-cut HIPAA violations where there was unlawful disclosure or accessing of patient health records. However, it’s important to note that not all instances of health information exposure is in violation of HIPAA. Each reported case undergoes a rigorous check to determine the severity of exposure. Given proper handling of the disclosure, meaning the disclosed information is immediately exited or disposed off by the viewing party, the case may be deemed accidental, properly dealt with and closed.

Case 1 (researcher; extreme case w/ jail; celebrities): In 2003, Huping Zhou a former cardiothoracic surgeon, worked as a researcher for the UCLA School of Medicine. He was terminated due to job performance reasons. Following his termination, he went on a three-week period accessing medical records of his supervisor, coworkers, and celebrities including Leonardo DiCaprio, Tom Hanks, Drew Barrymore and Arnold Schwarznegger for a total of 323 times of accessing the system. He had no legitimate reason for his action nor did he improperly use or attempt to sell the information. Regardless, he broke HIPAA violations receiving 4 months in federal jail and fined $2,000 from his 4 counts of misdemeanor counts of accessing and reading confidential medical records.

Case 2 (no encryption): A dermatology practice lost an unencrypted flash drive containing protected health information. They were fined $150,000 and were required to install a corrective action plan.

Case 3 (submitting bills; no full de-identification; improper training): Dr. Barry Helfmann, a president-elect of the American Group Psychotherapy Association, had employees who were not properly forwarding past due patient bills to a collections firm. These patient bills still contained protected medical information like patient identification, CPT codes, patient diagnoses, etc. Thus, the State of New Jersey tried to suspend and revoke his license in 2017. It’s extremely important to omit all medical data when submitting bills. Even better would be for the office to only provide the Transaction Ledger rather than the “true bill.”

Case 4 (social media): In 2017, Olivia O’Leary a 24 year-old medical technician at Onslow Memorial Hospital posted on Facebook saying “Should have worn her seatbelt…” to an article about a woman dying from a one-car crash that was brought to the same hospital she worked at. Her purpose was to bring awareness to wearing seatbelts. However, due to bad PR and disclosing PHI, she was terminated for a HIPAA violation.

Case 5 (cloud services; unencrypted): In 2016, a cardiology group composed of 5 physicians was found in violation of HIPAA because they were posting surgical and clinical appointments on a public, internet-based calendar. They paid a $100,000 HIPAA settlement.

Case 6 (sales executive/tactics): In late 2016, Landon Eckles an ex-district manager for Warner Chilcott (now Actavis) was found violating health privacy laws by filling out prior authorization forms for doctors who prescribed Atelvia to win insurance reimbursements. He also put drug brochures directly into patient charts to remind doctors to write those scripts as a sales tactic. He was fined $10,000 and put on 1 year of probation.

Case 7 (careless/open discussion about PHI; unlawful access): Kathryn Trump, a University of Iowa student health center employee, was fired for openly discussing a student’s pregnancy test with another employee as well as accessing the patient’s charts for more detail. She was found in violation of HIPAA since medical professionals may only discuss PHI with another medical professional that is involved in that person’s care and may only access patient’s charts to provide treatment for that individual. She was terminated.