City of New Haven Settles HIPAA Violation Case with OCR for $202K

The City of New Haven in Connecticut has settled a HIPAA violation case with the U.S. Department of Health and Human Services’ Office for Civil Rights and has been ordered to pay a financial penalty of $202,400. A corrective action plan has also been adopted to ensure that all areas of noncompliance with the HIPAA Rules are addressed. The City will be monitored by OCR for 2 years to ensure continued compliance with the HIPAA Rules.

OCR is the main enforcer of compliance with the HIPAA Rules and has the authority to impose financial penalties on HIPAA covered entities and business associates in cases where HIPAA Rules have not been followed. 2020 was looking to be a relatively quiet year in terms of HIPAA enforcement, with only one financial penalty issued in the first six months of the year. Two settlements were announced in July, but in September and October there was a flurry of activity, with 12 settlements announced. Already 2020 has seen more financial penalties imposed than in any other year since OCR was given the authority to impose fines for HIPAA violations.

The latest financial penalty relates to a breach of the protected health information of 498 individuals that occurred in July 2016 and was reported to OCR in January 2017.

An employee of the New Haven Health Department was terminated during her probationary period on July 19, 2016. 8 days later she returned to the Health Department with her union representative, used the key she had been issued with to enter her office, and locked herself inside with the union representative.

She collected her personal items and documents and logged into her computer using her login credentials and downloaded files to a USB drive before exiting the premises. One of the files taken from the premises contained the PHI of 498 individuals including names, contact information, dates of birth, demographic details, and sexually transmitted disease test results. The actions of the former employee were witnessed by a student intern who was present at the time the former employee returned with her union representative.

OCR investigated the breach and identified several potential HIPAA violations. The City of New Haven had failed to conduct an enterprise-wide risk assessment to identify risks and vulnerabilities to electronic protected health information and had impermissibly disclosed the protected health information of 498 individuals to an unauthorized individual.

For more than 4 years between Dec 1, 2014 and Dec 31, 2018, the City of New Haven failed to implement HIPAA Privacy Rule policies and procedures and had not implemented procedures for terminating access to PHI as part of its termination procedures. OCR also discovered the former employee had shared her login credentials with an intern who continued to use those credentials to access PHI after the employee had been terminated. Over the same 4-year period, the City of New Haven had failed to assign unique login credentials to allow the tracking of user identity.

“Medical providers need to know who in their organization can access patient data at all times,” said OCR Director Roger Severino. “When someone’s employment ends, so must their access to patient records.”