The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) investigates reported breaches of protected health information. This includes breaches affecting 500 or more individuals, as well as certain smaller breaches. The purpose of the investigation is to determine if the breach occurred due to non-compliance with the rules outlined in the Health Insurance Portability and Accountability Act (HIPAA). Instead, the severity of the underlying HIPAA violations is the key factor.
On February 28, 2018, Yakima Valley Memorial Hospital, previously known as Virginia Mason Memorial, reported a relatively small data breach to OCR. The hospital is a non-profit community hospital located in Washington state and has a capacity of 222 beds. During their internal investigation, the hospital discovered that security guards had been accessing patients’ medical records without a legitimate work-related reason. A total of 419 medical records were found to have been viewed impermissibly.
In May 2018, OCR initiated an investigation into an incident involving unauthorized access to medical records, commonly known as snooping. The investigation revealed a widespread occurrence of security guards within the hospital’s emergency department engaging in this snooping activity. A total of 23 security guards had utilized their login credentials to access medical records in the hospital’s electronic medical record system without any legitimate justification for doing so. As a result, these security guards were able to view protected health information, including names, addresses, dates of birth, medical record numbers, certain treatment-related notes, and insurance information.
OCR concluded that the hospital had failed to establish reasonable and appropriate policies and procedures to comply with the requirements outlined in the Security Rule (45 C.F.R. § 164.316). Consequently, Yakima Valley Memorial Hospital opted to reach a settlement agreement with OCR. The terms of the settlement included a financial penalty of $240,000, with no admission of liability. To ensure full compliance with the HIPAA Rules, the hospital agreed to implement a corrective action plan.
This plan encompasses various measures. First, it involves conducting a comprehensive and accurate risk analysis. Second, it includes developing and implementing a risk management plan to address the risks that have been identified. Third, the plan involves updating HIPAA policies and procedures to ensure compliance with the regulations. Fourth, it aims to enhance the existing HIPAA security training program to improve staff awareness and knowledge. Fifth, the plan includes reviewing relationships with vendors and third-party service providers to identify any business associates. Finally, if business associate agreements are not already in place, the plan will establish appropriate agreements with these entities.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs.HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”
OCR Director Melanie Fontes Rainer
In 2023, the Office for Civil Rights (OCR) has taken its 6th enforcement action regarding HIPAA violations. This action has resulted in the imposition of a financial penalty. This recent action marks the second announcement made by OCR in the current month. Since the beginning of this year, OCR has imposed penalties amounting to a total of $1,901,500. These penalties serve as a means of resolving violations of the HIPAA Rules.
