Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records
Washington DC June 16 2023 The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.
A relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed.
OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. § 164.316.
Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. A corrective action plan has been adopted to ensure full compliance with the HIPAA Rules, which includes an accurate and comprehensive risk analysis, the development and implementation of a risk management plan to address the risks identified by the risk analysis, updates to its HIPAA policies and procedures, the enhancement of its current HIPAA security training program, and a review of its relationships with vendors and third-party service providers to identify business associates, and to obtain business associate agreements if they are not already in place.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”
This is the 6th OCR HIPAA enforcement action of 2023 that has resulted in a financial penalty, and the second to be announced by OCR this month. So far this year, penalties totaling $1,901,500 have been imposed by OCR to resolve violations of the HIPAA Rules.