Memorial Healthcare System (“MHS”) settled with the U.S. Department of Health and Human Services (“DHHS”) for $5.5 million for potential violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy and Security Rules. MHS is a South Florida corporation that operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities and is also affiliated with physician offices through an organized health care arrangement (“OHCA”).
MHS reported to the DHHS Office for Civil Rights (“OCR”) that the protected health information (“PHI”) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the electronic protected health information (“EPHI”) maintained by MHS on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, MHS had failed to implement procedures for reviewing, modifying, and/or terminating users’ rights of access and had also failed to regularly review records of information system activity on applications that maintain EPHI by workforce users and users at affiliated physician practices, as required for audit controls in § 45 C.F.R. 164.313, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012.
OCR noted that “organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
This case highlights that it is not enough just to conduct a risk analysis. You must follow through with implementing reasonable and appropriate security measures for the risks that you identified. See the Resolution Agreement and Corrective Action Plan at https://www.hhs.gov/sites/default/files/memorial-ra-cap.pdf.
Alice here. As an aside, please note that Jon Tomes will be out of the net (as he and his buddies said when they were serving in the U.S. Army) for a few weeks. If you need our help with a HIPAA issue, please contact me directly at iammccart@gmail.com. Till Jon gets back, please stay tuned. I will be posting several of his blog items that he has put together as a HIPAA update potpourri. Today’s post is the first of those. As always, please update at least annually your risk analysis, draft/revise, implement, and enforce reasonable and appropriate policies based on your risk analysis, and train all of your workforce at least annually. We say update at least annually, but of course, please do so more often if you have changes in your physical location, your type of practice, your computer system(s), your staff duties, your security system(s), and so forth. And make sure that you document your risk analysis update, policies implementation based on your risk analysis initial draft/update(s), and annual HIPAA training in writing, and keep that written documentation of HIPAA compliance for the required 6 years.