The importance of conducting internal audits of PHI access logs has been highlighted by a recent HIPAA breach discovered by Chadron Community Hospital in Nebraska.
On January 3, 2017, the hospital discovered a former employee had improperly accessed the protected health information of patients. The investigation into the privacy breach revealed that the former employee had been accessing the PHI of patients without authorization for more than five years.
The privacy violations started in September 2011 and continued until November 2016. During that time, the PHI of 702 patients was inappropriately accessed. It is not clear why the information was accessed. Healthcare employees may choose to breach hospital and HIPAA regulations out of curiosity, but in many cases information is accessed and copied and used for a range of nefarious activities. While no Social Security numbers were viewed, the former employee did view names, addresses, demographic information, dates of birth, clinical information and insurance information.
The Health Insurance Portability and Accountability Act Security Rule requires covered entities to maintain application and access logs and to regularly review those logs to determine whether the protected health information of patients and health plan members has been inappropriately accessed. While HIPAA calls for audits of PHI access logs to be performed, the legislation does not go as far as to stipulate how often audits of PHI access logs should take place. That is left to the discretion of the covered entity. The decision on how often audits of PHI access logs should be performed should be dictated by the level of risk. That will be highlighted by the organization’s HIPAA risk analyses.
When inappropriate access is discovered, covered entities must take appropriate action to limit the harm caused and to reduce risk. If access logs are not regularly checked, privacy violations can continue to occur for months or years.
Any breach of PHI that impacts more than 500 individuals will be investigated by OCR. OCR will attempt to determine whether HIPAA Rules have been violated. The failure to check access logs regularly is a violation of HIPAA Rules, and could warrant a financial penalty. The penalty for HIPAA violations is up to 1.5 million per violation category, although that figure can be multiplied by the number of years that the violation has persisted.
The failure to monitor access logs for a period of five years could therefore result in a penalty of up to $7.5 million. In all likelihood, such a heavy penalty would not be issued, although multi-million dollar financial penalties have been issued in the past for serious violations of HIPAA Rules.