Florida

BayCare HIPAA Fine
Abyde News, Fines, HIPAA

BayCare’s $800k HIPAA Violation: The Consequences of Unmonitored Staff Access

May 29, 2025 No comments yet

May 29, 2025   A successful practice is built upon a strong foundation of well-trained and aware staff.  Protecting patient data is a critical responsibility for healthcare staff. Data breaches involving Protected Health Information (PHI) can occur in many ways, but the foundation of security lies in a workforce committed to safeguarding it. A Florida healthcare provider, BayCare Health System, experienced the consequences of improper disclosure of PHI due to a complaint and a noncompliant staff member in the latest HIPAA fine.  Acting Director of the Office for Civil Rights (OCR) Anthony Archeval commented on the importance of managing staff access, saying, “allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”   What Happened? In 2018, an unnamed complainant visited St. Joseph’s Hospital, a facility under the BayCare Health System, for an appointment. After treatment, she received communication from an unknown contact who sent the complainant photos of her medical records and a video of a BayCare associate scrolling through her file as well.  This communication led to a complaint filed with the OCR. Several years of legal interactions and investigations by the OCR resulted in an $800,000 settlement six years later.  After the investigation, it was found that BayCare failed to have procedures and policies for handling ePHI, failed to reduce risks, and did not review staff access.  This nearly million-dollar fine resulted from a malicious insider, insufficient documentation, and an oversight of staff privileges.  Reviewing staff access is vital for protecting patient data. By monitoring staff activity, you can ensure that PHI does not end up in the wrong hands. Additionally, when providing staff with access to PHI, confirm that access is necessary to complete essential job tasks. This falls under the Minimum Necessary Standard within the HIPAA Privacy Rule, which enforces that disclosed PHI is only shared for an authorized and required purpose.  Staff must be thoroughly trained in their responsibilities before accessing PHI, and policies and procedures regarding handling PHI must be readily available for staff to review.  While this situation did not lead to jail time, it is not unheard of in the medical field, so staff must also be aware of the consequences.    Training and Monitoring Staff with Abyde Smart compliance solutions streamline training, policies and procedures, and monitoring access, creating a culture of compliance that protects your organization from malicious insiders. With an intelligent platform managing compliance, you can dynamically generate unique policies and procedures in seconds, automating this task without human error.  Additionally, a centralized compliance hub allows staff to review documentation before working with patients and refer to it if there is any confusion. Access logs can also be found in this hub, which keeps staff accountable when they review patient PHI.  With intelligent solutions, proactive compliance is made easy, encouraging staff to take their HIPAA responsibilities seriously. Speak with a compliance expert today to learn more about how compliance can be simplified for your practice. 

Jacksonville Healthcare OSHA Fine
Fines, OSHA

Jacksonville, FL Psychiatric Treatment Facility Faces OSHA Fines After Failing to Protect Workers

July 27, 2023 Comments Off on Jacksonville, FL Psychiatric Treatment Facility Faces OSHA Fines After Failing to Protect Workers

July 27, 2023 In a recent investigation, the U.S. Department of Labor’s Occupational Safety and Health Administration (OSHA) discovered alarming safety lapses at a psychiatric health and substance disorder facility in Jacksonville, Florida. The facility, operating as River Point Behavioral Health, failed to implement necessary safety procedures, exposing its workers to serious risks and injuries. One incident involved a patient attacking a registered nurse, highlighting the urgent need for improved workplace safety measures. Workplace Violence Plagues Healthcare Workers The incident occurred in January 2023, when a registered nurse employed by UHS of Delaware Inc. and TBJ Behavioral Center LLC was working on reports in a staff-only workspace. Tragically, a patient gained unauthorized access to the area and physically assaulted the nurse, delivering blows to the face and head, resulting in a loss of consciousness and lacerations. This unfortunate incident highlights the growing concern about workplace violence faced by healthcare workers nationwide. OSHA’s Findings and Consequences Following the investigation, OSHA cited River Point Behavioral Health for a serious violation, holding them responsible for failing to provide a safe workplace free from recognized health and safety hazards. The agency proposed penalties amounting to $15,625. OSHA’s Area Office Director, Scott Tisdale, emphasized the importance of employers taking swift action to prevent such incidents, ensuring their employees’ physical well-being and peace of mind. A Pattern of Neglect This investigation is not an isolated incident for UHS of Delaware Inc. Since 2017, OSHA has looked into three other Florida facilities affiliated with the company due to similar complaints related to workplace violence. The pattern of neglect raises concerns about the company’s commitment to employee safety and the urgent need for comprehensive reforms. Creating Safer Work Environments Workplace violence is a pressing issue, particularly within the healthcare sector. Employers must take proactive steps to prevent and address such hazards to ensure the safety of their staff. Safety protocols, proper training, and secure workspaces are just a few measures that can significantly reduce the risks healthcare workers face on a daily basis. UHS Inc.’s Role and Responsibility River Point Behavioral Health is affiliated with UHS of Delaware Inc., which is part of UHS Inc., a prominent hospital and healthcare services system with a vast network of facilities in the U.S., Puerto Rico, and the U.K. As a major player in the healthcare industry, UHS Inc. must take the lead in advocating for improved workplace safety standards and ensuring the well-being of its employees. No organization is too big (or small) for OSHA compliance. Compliance and Future Outlook River Point Behavioral Health has 15 business days to respond to OSHA’s citations and penalties. The facility can choose to comply with the recommended changes, request an informal conference with OSHA, or contest the findings before the independent Occupational Safety and Health Review Commission. Regardless of the outcome, this investigation serves as a wake-up call for healthcare facilities nationwide to prioritize employee safety and work towards a violence-free workplace. The recent OSHA investigation sheds light on the pressing issue of workplace violence in psychiatric facilities and healthcare settings. Ensuring employee safety must become a top priority for all industry stakeholders. By implementing comprehensive OSHA compliance software like Abyde and addressing hazards promptly, we can create a work environment where healthcare workers no longer fear for their lives and physical well-being. Together, we can build a safer and more compassionate healthcare industry for patients and those who care for them.

1st HIPAA Right of Access Fine
Fines, HIPAA

OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Comments Off on OCR Settles First Case in HIPAA Right of Access Initiative

September 9, 2019 Today, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services is announcing its first enforcement action and settlement in its Right of Access Initiative.  Earlier this year, OCR announced this initiative promising to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Bayfront Health St. Petersburg (Bayfront) has paid $85,000 to OCR and has adopted a corrective action plan to settle a potential violation of the right of access provision of the Health Insurance Portability and Accountability Act (HIPAA) Rules after Bayfront failed to provide a mother timely access to records about her unborn child.  Bayfront, based in St. Petersburg, Florida, is a Level II trauma and tertiary care center licensed as a 480-bed hospital with over 550 affiliated physicians. OCR initiated its investigation based on a complaint from the mother.  As a result, Bayfront directly provided the individual with the requested health information more than nine months after the initial request. The HIPAA Rules generally require covered health care providers to provide medical records within 30 days of the request and providers can only charge a reasonable cost-based fee.  This right to patient records extends to parents who seek medical information about their minor children, and in this case, a mother who sought prenatal health records about her child. “Providing patients with their health information not only lowers costs and leads to better health outcomes, it’s the law,” said OCR Director Roger Severino.  “We aim to hold the health care industry accountable for ignoring peoples’ rights to access their medical records and those of their kids.” In addition to the monetary settlement, Bayfront will undertake a corrective action plan that includes one year of monitoring by OCR. The resolution agreement and corrective action plan may be found at here.

Want an inside look at how the OCR operates? Watch our latest webinar with Iliana Peters, former Acting Deputy Director for HIPAA at the HHS OCR.

WATCH RECORDING
X