On June 15, 2023, the US Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with a community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR investigated allegations that several security guards from the hospital had impermissibly accessed the medical records of 419 individuals. To voluntarily resolve the matter, the hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information (PHI) and train its workforce members to prevent this type of snooping behavior in the future.
In May 2018, OCR initiated an investigation of the hospital following the receipt of a breach notification report which stated that 23 security guards working in the hospital’s emergency department had used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.
As a result of the settlement agreement, the hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. The hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information (ePHI);
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
- Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
OCR Director Melanie Fontes Rainer said, “Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
Compliance Perspective
Issue
The HIPAA Security Rule requires facilities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Facilities must ensure the confidentiality of all ePHI they create, receive, maintain, or transmit. The Security Rule defines confidentiality to mean that ePHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. Facilities must provide for appropriate authorization and supervision of workforce members who work with e-PHI. All workforce members must be trained regarding security policies and procedures, and facilities must have and apply appropriate sanctions against workforce members who violate the policies and procedures.
Discussion Points
- Review policies and procedures related to HIPAA, PHI, and Privacy. Ensure that they address preventing staff from impermissibly accessing PHI and ePHI.
- Train all staff on HIPAA, PHI, and Privacy, minimally upon hire and annually. Document that these trainings occurred and file the signed training document in the employees’ education files.
- Periodically audit to ensure that the facility’s policies and procedures for HIPAA, PHI, and Privacy are being followed by all staff, and that each person demonstrates understanding and competency. Also audit to ensure PHI and ePHI are not being accessed inappropriately.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
