The Department of Health and Human Services’ Office for Civil Rights has announced a massive settlement has been reached with Florida-based Memorial Healthcare System. The Memorial Healthcare HIPAA fine of $5.5 million settles potential violations of the HIPAA Privacy and Security Rules spanning several years. The settlement is the joint largest ever HIPAA fine issued to a single covered entity. The Memorial Healthcare HIPAA fine matches last year’s settlement with Advocate Health – which was also $5.5 million and resolved multiple HIPAA violations.
The Memorial Healthcare HIPAA fine resolves HIPAA compliance violations that were discovered by OCR during an investigation into a large data breach that was reported in 2012. In total, 115, 143 individuals’ protected health information was impermissibly accessed by the healthcare system’s employees. PHI was also impermissibly disclosed to affiliated physician office staff. A wide range of ePHI was impermissibly accessed, including patients’ names, birth dates and Social Security numbers.
The OCR investigation was launched in 2012 following receipt of a breach report from Memorial Healthcare. OCR investigates all security breaches that have resulted in more than 500 patients’ and health plan members’ ePHI being improperly accessed, stolen, or exposed.
The investigation into the Memorial Healthcare security breach revealed multiple violations of HIPAA Rules had occurred between April 2011 and April 2012. OCR determined that Memorial Healthcare had violated the HIPAA Privacy Rule by providing PHI access to a former employee of an affiliated physician practice for a period of more than one year between April 1, 2011 and April 27, 2012. As a result of that HIPAA violation, the protected health information of 80,000 healthcare patients was impermissibly disclosed.
Not only was access to PHI provided, no checks of PHI access logs were performed between January 1, 2011 and June 1, 2012. HIPAA Rules require covered entities to maintain logs of ePHI access. While data access logs were maintained, they were not checked regularly; a violation of the Administrative Safeguards of the HIPAA Security Rule.
Over the same period, Memorial Healthcare failed to implement policies and procedures covering the modification of users’ PHI access rights. When access to PHI was no longer required, such as when an individual left employment, access to PHI was not terminated.
During the course of the investigation, OCR discovered that Memorial Healthcare was made aware of the security risks that threatened the confidentiality, integrity and availability of ePHI. Over a period of five years between 2007 and 2012, Memorial Healthcare performed risk analyses which highlighted the risk to ePHI, yet those risks were not appropriately mitigated.
While OCR usually prefers to resolve potential violations of the Health Insurance Portability and Accountability Act Rules amicably through voluntary compliance, HIPAA fines are warranted in situations when there have been serious violations of HIPAA Rules that have resulted in the exposure or disclosure of patients’ PHI. The Memorial Healthcare HIPAA fine reflects the seriousness of the potential HIPAA violations and the length of time that those violations persisted without being discovered and resolved.
Announcing the settlement, OCR acting director Robinsue Frohboese said “Access to ePHI must be provided only to authorized users, including affiliated physician office staff.” Frohboese also said “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”