Record HIPAA Settlement Announced: $5.5 Million Paid by Memorial Healthcare System
The Department of Health and Human Services’ Office for Civil Rights (OCR) has matched last year’s record HIPAA settlement with Advocate Health. Yesterday, OCR announced that a $5.5 million settlement had been reached with Florida-based Memorial Healthcare Systems to resolve potential Privacy Rule and Security Rule violations.
Memorial Healthcare Systems has paid the penalty for non-compliance with HIPAA Rules, and in addition to the $5.5 million settlement, a robust corrective action plan must be adopted to address all areas of non-compliance.
Memorial Healthcare Systems operates six hospitals in South Florida, with its flagship hospital one of the largest in the state. The healthcare system also operates a range of ancillary healthcare facilities, a nursing home, urgent care center, and is affiliated with many physician offices through an Organized Health Care Arrangement (OHCA).
In 2012, Memorial Healthcare discovered a breach of ePHI had occurred. The breach was reported to OCR on April 12, 2012. That breach related to two employees who were discovered to have inappropriately accessed patients’ ePHI including names, birth dates, and social security numbers. Federal charges were brought against the individuals for selling on stolen ePHI and filing fraudulent tax returns, although OCR investigated to determine whether there were any underlying violations of HIPAA Rules that contributed to the exposure and theft of PHI. Memorial Healthcare was investigated by OCR in the summer of 2012.
Memorial Healthcare also conducted its own investigation which revealed that those two employees were not the only individuals to have inappropriately accessed ePHI. Memorial Healthcare’s investigation determined that 12 individuals at its affiliated physician offices had also inappropriately accessed the ePHI of patients. In total, the ePHI of 115,143 individuals was impermissibly accessed by its employees.
The investigation revealed that the login credentials of a former employee of one of its affiliated physician offices had been used to access the ePHI of patients on a daily basis for a period of a year. The login credentials were discovered to have first been used to access ePHI without authorization in April 2011, and access continued until April 2012, when the improper access was detected and blocked. The ePHI of 80,000 patients had been accessed using those login credentials.
In accordance with HIPAA Rules, Memorial Healthcare system had implemented policies and procedures covering ePHI access by its workforce, but the healthcare system had failed to implement procedures to review and modify users’ access rights to ePHI when access was no longer required. Several risk analyses had previously been conducted between 2007 and 2012 which highlighted the risk to ePHI.
Inappropriate access by its employees and staff at affiliated physician offices continued for a year, yet Memorial Healthcare did not notice as reviews of information system activity were not regularly checked.
OCR investigators determined that Memorial Healthcare had violated HIPAA Rules (45 C.F.R. §§160.103 and 164.502 (a))) by providing access to PHI to a former employee of an affiliated physician practice between April 1, 2011 and April 27, 2012.
A violation of 45 C.F.R. §164.308(a)(l)(ii)(D) occurred between January 1, 2011 and June 1, 2012, as regular reviews of records of information system activity had not been performed.
45 C.F.R. § 164.308(a)(4)(ii)(C) had also been violated by failing to modify a user’s right of access to a workstation, transaction, or program allowing ePHI to be impermissibly accessed.
Each HIPAA violation carries a maximum penalty of $1.5 million, per year that each violation was allowed to persist. Had Memorial Healthcare not agreed to settle with OCR, the financial penalty would have been considerably higher.
This HIPAA settlement brings the annual total up to three settlements and one Civil Monetary Penalty (CMP). Earlier this month, OCR announced a $3.2 million CMP for Children’s Medical Center of Dallas. In January, a settlement of $2.2 million was agreed with MAPFRE Life Assurance Company of Puerto Rico for impermissible disclosure of ePHI, and a $475,000 settlement was agreed with Presense Health to resolve HIPAA Breach Notification Rule violations.
OCR Acting Director Robinsue Frohboese announced the latest HIPAA settlement saying “Access to ePHI must be provided only to authorized users, including affiliated physician office staff.” Frohboese also explained that “Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
At the current rate, last year’s record breaking year for HIPAA settlements will be eclipsed in 2017. The regularity of HIPAA settlements and CMPs should send a strong message to covered entities that OCR is coming down hard on organizations discovered to have violated HIPAA Rules and exposed patients’ protected health information.