Memorial Healthcare System (MHS) recently settled alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Under the settlement, MHS agreed to pay $5.5 million and implement a corrective action plan (CAP) for a breach involving the impermissible access and disclosure of protected health information (PHI).
MHS is a nonprofit corporation that operates six hospitals and numerous ancillary health care facilities in Florida. MHS reported to OCR that MHS employees had impermissibly accessed PHI belonging to 115,143 individuals and disclosed the PHI to affiliated physician office staff members. The compromised information included names, dates of birth, and social security numbers.
The OCR investigation further revealed the following:
- MHS failed to regularly review information system activity records on applications that maintain electronic protected health information (ePHI);
- MHS had conducted several risk analyses between 2007 and 2012 that identified reviewing records of information system activity as a risk facing the organization; and
- MHS failed to implement policies and procedures for the documentation, review, and modification of user right of access.
OCR imposed a CAP requiring MHS to develop and implement a risk analysis and management plan. The CAP further requires MHS to revise its policies and procedures regarding information system activity to include regular review of audit logs, access reports, and security incident reports. Following HHS approval, MHS must distribute the new policies and procedures to all workforce members, as well as business associates and vendors of affiliated entities.
The OCR press release is available at: