On October 23, 2019, the Office for Civil Rights (OCR) at HHS announced the imposition of a $2,154,000 civil monetary penalty against a Florida hospital system (Hospital System) for alleged violations of the HIPAA Security and Breach Notification Rules between 2013 and 2016. The underlying incidents include the loss of paper records containing protected health information (PHI), sharing on social media a photograph of the operating room screen, and an employee’s inappropriate access to thousands of patient records for the purpose of selling patient information. OCR concluded that the Hospital System failed to provide timely and accurate breach notification to OCR, conduct a risk analysis, manage risk to a reasonable and appropriate level, regularly review information system activity records, and restrict authorization of its workforce members’ access to patient PHI to the minimum necessary to accomplish job duties.
The allegations contained in OCR’s Notice of Proposed Determination include the following:
- In 2013, the Hospital System submitted a breach report to OCR stating that it lost paper records containing the PHI of 756 patients. Although an internal investigation by the Hospital System revealed that three additional boxes of records were missing, this additional loss was not reported to OCR until 2016.
- In 2015, a reporter shared on social media a photograph of an operating room screen containing a patient’s medical information, prompting an investigation by OCR. The Hospital System determined then that two employees had accessed this patient’s medical record without a job-related purpose.
- In 2016, the Hospital System submitted a breach report to OCR, reporting that an employee had been selling patient PHI, and had accessed the records of over 24,000 patients since 2011.
In the Notice of Proposed Determination, OCR alleges deficiencies in the Hospital System’s compliance efforts, and specifically, the conduct of risk analyses by third parties and the follow-up on such analyses by the Hospital System. According to the Notice, one risk analysis failed to include all of the relevant electronic PHI and did not identify the totality of threats and vulnerabilities that exist in its system; another risk analysis concluded that the Security Rule was “not applicable” to the Hospital System; and another was not system-wide. Additionally, according to the Notice, the Hospital System did not provide evidence that it acted on the findings in the risk analyses.
OCR’s press release, the Notice of Proposed Determination, and the Notice of Final Determination are available here.