The Department of Health and Human Services’ Office for Civil Rights (OCR), equaling last year’s record HIPAA settlement with Advocate Health, announced that a $5.5 million settlement had been agreed with Florida-based Memorial Healthcare Systems to settle potential Privacy Rule and Security Rule violations.
Memorial Healthcare Systems has paid the fine for non-compliance with HIPAA Rules, along with the $5.5 million settlement, a robust corrective action plan must be put in place to address all areas of non-compliance.
Memorial Healthcare Systems runs six hospitals in South Florida, with its flagship hospital one of the State’s largest. The healthcare system also operates a variety of ancillary healthcare facilities including a nursing home, urgent care center. It is also affiliated with many physician offices through an Organized Health Care Arrangement (OHCA).
In 2012, Memorial Healthcare identified a breach of ePHI had occurred. The breach was made known to OCR on April 12, 2012. That breach related to two employees who were found to have inappropriately accessed patients’ ePHI including names, birth dates, and social security numbers. Federal charges were filed against the individuals for selling on stolen ePHI and filing fraudulent tax returns, although OCR investigated to discover whether there were any underlying violations of HIPAA Rules that contributed to the exposure and theft of PHI. Memorial Healthcare was reviewed by OCR in the summer of 2012.
Memorial Healthcare also carried its own investigation which showed that those two employees were not the only individuals to have inappropriately accessed ePHI. Memorial Healthcare’s investigation discovered that 12 individuals at its affiliated physician offices had also inappropriately accessed the ePHI of patients. In total, the ePHI of 115,143 individuals was accessed by its employees with permission.
The investigation showed that the login credentials of a former employee of one of its affiliated physician offices had been used to gain access to the ePHI of patients on a daily basis for a period of a year. The login credentials were discovered to have initially been used to access ePHI without authorization in April 2011, and access went on until April 2012, when the improper access was discovered and blocked. The ePHI of 80,000 patients had been accessed, without official permission, using those login credentials.
In compliance with HIPAA Rules, Memorial Healthcare system had put in place policies and procedures covering ePHI access by its staff members, but the healthcare system had failed to implement procedures to review and modify users’ access rights to ePHI when access was no longer needed. Several risk analyses had previously been carried between 2007 and 2012 which empasized the risk to ePHI.
Improper access by its employees and staff at affiliated physician offices continued for 12 months, yet Memorial Healthcare did not notice as reviews of information system activity were not regularly checked correctly.
The OCR found, during their review, that Memorial Healthcare had violated HIPAA Rules (45 C.F.R. §§160.103 and 164.502 (a))) by providing access to PHI to a former employee of an affiliated physician practice between April 1, 2011 and April 27, 2012.
A violation of 45 C.F.R. §164.308(a)(l)(ii)(D) happened between January 1, 2011 and June 1, 2012, as regular reviews of records of information system activity had not been carried out.
45 C.F.R. § 164.308(a)(4)(ii)(C) had also been violated by not modifying a user’s right of access to a workstation, transaction, or program allowing ePHI to be impermissibly accessed.
Each HIPAA violation carries a maximum fine of $1.5 million, per year that each violation was allowed to continue. Had Memorial Healthcare not agreed to settle with OCR, the financial penalty would have been much higher.
This HIPAA penalty settlement brings the annual total up to three settlements and one Civil Monetary Penalty (CMP). Earlier this month, OCR announced a $3.2 million CMP for Children’s Medical Center of Dallas. In January, a settlement fine of $2.2 million was agreed with MAPFRE Life Assurance Company of Puerto Rico for inappropriate disclosure of ePHI, and a $475,000 settlement was agreed with Presense Health to resolve HIPAA Breach Notification Rule violations.
OCR Acting Director Robinsue Frohboese commented on the latest HIPAA settlement saying “Access to ePHI must be provided only to authorized users, including affiliated physician office staff.” Frohboese also outlined that “Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”