Summary
On February 16, 2017, the U.S. Department for Health and Human Services (“HHS”), Office for Civil Rights (“OCR”) announced that Memorial Healthcare Systems of Florida (“MHS”) agreed to pay $5.5 million and enter into a comprehensive corrective action plan (“CAP”) to settle alleged HIPAA Privacy Rule and Security Rule violations. The settlement is the first publicly announced HIPAA resolution during President Trump’s administration and it matches the largest ever imposed on a single legal entity. The MHS settlement highlights the importance of covered entities and business associates implementing and enforcing audit controls and terminating access of former employees to protected health information (“PHI”).
MHS is a non-profit corporation that operates six hospitals and other health care entities and facilities in Florida. MHS is also affiliated with physician offices through an organized health care arrangement (“OHCA”).
On April 12, 2012, MHS reported a breach to the OCR stating that two MHS employees inappropriately accessed MHS’ PHI. On July 11, 2012, MHS submitted an addendum to the initial breach report, stating that it had identified impermissible access by 12 additional users, with a total of 155,646 individuals potentially affected. OCR’s press release announcing the MHS settlement stated that the login credentials of a former employee of an MHS-affiliated physician practice had been used to access electronic PHI daily from April 2011 through April 2012 without detection. According to the Resolution Agreement, some of these instances led to federal charges related to selling PHI and filing fraudulent tax returns.
OCR’s investigation of the MHS reported breach demonstrated the following:
-
The PHI of 80,000 individuals was impermissibly disclosed when MHS provided access to the PHI to a former employee of an affiliated physician practice from April of 2011 through April of 2012;
-
From January 1, 2011 through June 1, 2012, MHS did not implement procedures to regularly review records of its information system activity; and
-
From January 1, 2011 until June 1, 2012, MHS did not implement policies and procedures to establish, document, review or modify a user’s right of access.
In addition to the $5.5 million payment, the three-year CAP requires MHS to do the following:
-
Complete a risk analysis and risk management plan;
-
Revise its policies and procedures for review by OCR: (1) with respect to information system activity review, require regular review of audit logs, access reports and security incident tracking reports; (2) with respect to access establishment and modification and termination, include protocols for access to electronic PHI by affiliated physicians, their practices and employees; and (3) review and revise existing risk analysis and risk management policies and procedures; and
-
Develop and submit to OCR a plan to internally monitor MHS’ compliance with the CAP and also engage a third-party assessor to review MHS’ compliance.
OCR’s press release and the Resolution Agreement may be found here.
The settlement highlights the importance of not only having comprehensive HIPAA Privacy and Security policies and procedures, but ensuring those policies and procedures are enforced. For large covered entities such as health systems, it is important that HIPAA compliance extend to the affiliated covered components, including an OHCA. Ensuring that terminated employees of an organization no longer have access to PHI is critical for HIPAA compliance.