The HHS’ Office for Civil Rights has announced its second HIPAA enforcement action of the month. Yakima Valley Memorial Hospital in Washington has agreed to settle OCR’s investigation into snooping on medical records for $240,000 and has adopted a corrective action plan to resolve the HIPAA compliance issues discovered by OCR during its investigation.
The case dates back to a breach report received by OCR in February 2018 about snooping on patient medical records by security guards in the emergency department of the hospital. Yakima Valley Memorial Hospital conducted an internal investigation into the snooping and determined that the medical records of 419 patients had been accessed without authorization using the login credentials of 23 security guards. The login credentials allowed access to protected health information such as names, dates of birth, addresses, medical record numbers, notes related to treatment, and insurance information.
Snooping on medical records is a common HIPAA violation that needs to be identified quickly. The longer the unauthorized access goes on, the more patients will have their privacy violated. If there is no monitoring and enforcement, snooping can become a major problem and even turn into a common practice among certain groups of employees. It is also vital that employees, business associates, and contractors that have access to systems containing PHI receive appropriate training to ensure they are aware that medical record access is a HIPAA violation and be informed about the sanctions policy should unauthorized access be detected.
OCR’s investigation revealed Yakima Valley Memorial Hospital had not implemented reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule, and that the extent of the violation was severe enough to warrant a financial penalty. The corrective action plan includes several requirements to ensure future compliance with the HIPAA Rules. A comprehensive, organization-wide risk analysis must be conducted to identify risks and vulnerabilities to protected health information and those risks must be subjected to a HIPAA-compliant risk management process.
Yakima Valley Memorial Hospital is required to develop, maintain and revise, as necessary, HIPAA policies and procedures and must improve its training program on the updated HIPAA policies and procedures. A review must also be conducted of all relationships with vendors and third-party service providers to ensure that all business associates are identified, and business associate agreements must be signed with each of those vendors.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”