HHS OCR has settled another enforcement action involving the HIPAA Security Rule. From their press release yesterday, it sounds like an insider wrongdoing case. In its formal resolution agreement, the government states that on October 23, 2018, OCR received a complaint alleging that on October 8, 2018, an unknown third party accessed her printed and electronic medical record from St. Joseph’s Hospital.
From the government’s press release about their investigation of BayCare Health System, which is a Florida healthcare provider:
OCR initiated the investigation following its receipt of a complaint in October 2018, in which the complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen. The investigation determined that the credentials used to access the complainant’s medical record belonged to a non-clinical former staff member of a physician’s practice, which had access to BayCare’s electronic medical records for the continuity of common patients’ care.
DataBreaches notes that the incident never appeared on HHS’s public breach tool, possibly because less than 500 patients were affected, but possibly because HHS OCR did not list it due to the ongoing investigation and settlement attempts.
OCR’s investigation found BayCare potentially violated multiple HIPAA Security Rule requirements, including:
- Failing to implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the HIPAA Privacy Rule,
- Failing to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and
- Failure to regularly review records of information system activity.
Under the terms of the settlement, BayCare agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $800,000. Under the corrective action plan, BayCare will take steps to resolve its potential violations of the HIPAA Security Rule, and to protect the privacy and security of ePHI, including:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Training its workforce that has access to ePHI on its HIPAA policies and procedures.
As is generally the case, there is no admission by BayCare of any liability or wrongdoing under HIPAA, etc.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-baycare-agreement.pdf