Hospital Settles HIPAA Investigation Over Allegations of Medical Record Access by Security Guards

Lindsay Greenblatt
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On June 15, 2023, OCR announced a settlement with Yakima Valley Memorial Hospital (Yakima) after completing a HIPAA investigation regarding allegations that hospital security guards accessed medical records of 419 patients. Yakima voluntarily resolved the matter by agreeing to pay $240,000 and implement a corrective action plan to train its workforce and update its policies and procedures to safeguard its protected health information (PHI).

OCR began investigating Yakima in May 2018 after receiving a breach notification report alleging that twenty-three emergency department security guards accessed patient medical records without a job-related purpose.

Yakima’s voluntary resolution of the matter resulted in a resolution agreement and corrective action plan that included no admission of liability. Under this agreement, OCR will monitor Yakima for two years to ensure compliance with the HIPAA Security Rule. In this resolution, Yakima also agreed to take the following steps:

  • Conduct a risk analysis regarding the security risks and vulnerabilities to electronic PHI;
  • Develop a risk management plan to address and mitigate the identified risks and vulnerabilities;
  • Develop, maintain, and revise written HIPAA policies and procedures;
  • Distribute HIPAA policies and procedures to all members of the workforce with access to PHI, and obtain signatures from workforce members regarding compliance with the policies;
  • Enhance HIPAA and Security Training Program to update workforce on compliance with HIPAA policies and procedures;
  • Review vendor and third-party service provider relationships to identify and obtain business associate agreements;
  • Promptly investigate the failure of a workforce member to comply with HIPAA policies, and report material failures to HHS within thirty days;
  • Submit an Implementation Report to HHS within 120 days after receiving HHS’s approval of the risk management plan, policies, procedures, and training materials; and
  • Submit Annual Reports to HHS within sixty days after the end of each one-year period during the course of compliance obligations.

The HHS announcement can be found here. The resolution agreement and corrective action plan can be found here.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide