On February 16, the U.S. Department of Health and Human Services issued a public notice that Memorial Healthcare System had paid HHS $5.5 million to settle potential violations of HIPAA’s Privacy and Security Rules.
Memorial Healthcare System is a nonprofit corporation that operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities in South Florida. It is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA).
The protected health information (PHI) of 115,143 individuals had been impermissibly accessed by employees of Memorial Healthcare System and impermissibly disclosed to affiliated physician office staff. This information consisted of the affected individuals’ names, dates of birth, and social security numbers. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by Memorial Healthcare System on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals. Although it had workforce access policies and procedures in place, Memorial Healthcare System failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Further, Memorial Healthcare System failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by Memorial Healthcare System from 2007 to 2012.
The Acting Director of the HHS Office for Civil Rights noted that “organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”