Malicious Insider Incident Results in $800,000 HIPAA Penalty for Florida Health System
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced its 9th financial penalty of the year under the Trump administration, and its 15th financial penalty of the year to resolve alleged HIPAA violations. The Florida healthcare provider, BayCare Health System, agreed to settle the HIPAA violation case and paid a $800,000 financial penalty. BayCare Health will adopt a corrective action plan and be monitored by OCR for compliance for two years.
OCR investigates all reported data breaches affecting 500 or more individuals to assess HIPAA compliance, as well as some smaller breaches, but in this case, an investigation was launched in response to an October 2018 complaint from a patient about unauthorized access to her printed and electronic medical record following a visit to BayCare Health’s St. Joseph Hospital in Tampa, Florida. After receiving treatment at the facility, the woman claimed to have been contacted by an unknown individual who had photographs of her printed medical records. She also received a video recording of the person scrolling through her electronic medical record on a computer screen.
OCR’s investigation substantiated the woman’s complaint and confirmed there had been unauthorized access to her protected health information by a malicious insider. Since credentials must be entered in order to view patient records within the electronic medical record system, the unauthorized access could be traced to a specific individual, a non-clinical former staff member of a physician’s practice. That individual was provided with access to electronic medical records for continuity of patients’ care.
The HIPAA Privacy Rule requires policies and procedures to be implemented for authorizing access to electronic protected health information (ePHI), and access to ePHI must be limited to the minimum necessary information under the minimum necessary standard. BayCare Health was found to have failed to comply with this requirement. BayCare Health was also found to have failed to effectively manage risk by not implementing security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level. Further, BayCare Health failed to implement policies and procedures for regularly reviewing records of activity in information systems.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
BayCare Health was notified of the outcome of the investigation and was given an opportunity to settle the alleged HIPAA violations informally, with no admission of wrongdoing or liability. When settlements are agreed, in addition to a financial penalty, the regulated entity must implement a corrective action plan. BayCare Health’s corrective action plan requires a comprehensive and accurate risk analysis to be conducted, and a risk management plan to be developed and implemented to reduce risks and vulnerabilities to ePHI to a reasonable level. Policies and procedures must be developed and implemented to ensure HIPAA compliance, the updated policies and procedures must be distributed to the workforce, and HIPAA training must be provided on those revised policies and procedures.
“In an era of hacking and ransomware attacks, HIPAA-regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
