By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
According to an article over on tripwire, a covered entity is facing serious penalties after the Office for Civil Rights issued them a hefty fine for their failure to comply with audit procedures including review, modification and termination of users’ access.
In the scope of the investigation, it was discovered that more than 100,000 individuals had their electronic Protected Heath Information (ePhi) records impermissibly disclosed.”
This announcement by the Office for Civil Rights came on February 16, 2017, announcing a settlement agreement had been reached with Memorial Healthcare System (MHS) for their potential HIPAA violations.
The settlement agreement included a robust corrective action plan and the second largest fine levied against a covered entity to date: $5.5 million.”
Background information
MHS is the 4th largest public healthcare system in the United States, offering their own services and participating in an Organized Healthcare Arrangement (OHCA). Participating in a OHCA allows covered entities such as MHS to affiliate themselves with additional physicians’ offices, requiring employees from those offices to gain access to patient records company wide.
In 2012, MHS filed a breach report to the Office for Civil Rights as part of routine breach reporting requirements. The reported breach indicated that two employees had inappropriately accessed patient records. An update to the initial breach was reported three months later by MHS, explaining that there were 12 addition employees who inappropriately accessed patient records in the breach. The report disclosed that an estimated 105, 646 patients had their information accessed inappropriately.
At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI.”
Through further investigation into the breach, the Office for Civil Rights discovered that some information obtained through the inappropriate access of patient information resulted in federal criminal charges including selling the ePHI and filing fraudulent tax returns.
The settlement
The settlement agreement and corrective action plan represent the first truly robust enforcement action against a company for failure to implement user access audit controls. The settlement agreement noted a pattern of disregard for the monitoring and auditing of user access over the course of five years, despite several risk analyses identifying this very issue.”
Taking into account the federal charges that occurred as a result of the breach, the Office for Civil Rights issued MHS a fine for $5.5 million, sending a clear warning sign that audit controls will become a main focus for the future.
Lessons learned
Through the unfortunate events that led to MHS’ substantial fine, other covered entities and business associates can learn some very valuable lesson when it comes to HIPAA compliance.
- Implement and audit established policies and procedures
- User access controls must be timely, verifiable, and robust
- After a risk analysis is completed, corrective action must occur
It is important to check with your IT and HR departments to ensure your organization has the appropriate audit controls in place. Some examples of questions you will want to verify include the following:
- When a user is terminated or resigns, what is the process to terminate access?”
- Do we have the ability to “break the glass” and immediately freeze a user’s access?”
- Can we review an audit of a user’s access and see what they viewed and when?”
- Do we have the ability to limit a user’s access to only those records that they need to see?”
- If a user accesses a record that they do not need to see, can our system alert us?”
The time is now to ensure that your organization is HIPAA compliant!
This article was originally published on HIPAA Secure Now! and is republished here with permission.