The Office for Civil Rights in the U.S. Department of Health and Human Services this week announced that it has reached a settlement with Tampa, Florida-based BayCare Health System over several potential violations of the HIPAA Security Rule.
WHY IT MATTERS
The settlement, for $800,000, resolves an OCR investigation into alleged impermissible access to a patient's electronic protected health information, or ePHI, at BayCare.
OCR says it first received a complaint in October 2018, with someone who had received care at the health system alleging that she had subsequently been contacted by "an unknown individual who had photographs of her printed medical records [and] video of someone scrolling through her medical records on a computer screen."
The OCR investigation found the credentials that had been used to access the complainant's medical record belonged to a former non-clinical staff member of another physician's practice that had access to BayCare's electronic medical records.
Investigators say BayCare potentially violated multiple HIPAA Security Rule requirements, including failing to implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the HIPAA Privacy Rule.
Additionally, OCR says the health system failed to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and to regularly review records of information system activity.
Under the terms of the settlement, BayCare agreed to pay OCR $800,000 and implement a corrective action plan that it will monitor for two years.
With that plan, the provider will be tasked with "conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI," according to OCR.
It will also have to implement a risk management plan, revise its written policies and procedures to comply with the HIPAA Rules and train staff members who have access to ePHI on its HIPAA policies and procedures.
THE LARGER TREND
Across presidential administrations, the HHS Office for Civil Rights has been busy in recent years investigating and settling investigations involving both the HIPAA Privacy Rule and HIPAA Security Rule, whether the alleged violations involved right of access, ransomware attacks, malicious insiders or other threats to patients' ePHI.
The Security Rule is set for an update (its first since 2013), with a notice of proposed rulemaking published this past January, during the final days of the Biden administration, containing new proposals and clarifications, such as removing the distinction between "required" and "addressable" specifications, and making all of them mandatory, with limited exceptions.
But well before that, OCR has consistently called on HIPAA covered entities – providers, health plans, healthcare clearinghouses – and their business associates to take steps to protect patients' ePHI, including understanding where ePHI is located in the organization and how it "enters, flows through, and leaves the organization's information systems."
It also emphasizes the importance of integrating risk analysis and risk management into an organization's business processes; ensuring that audit controls are in place to record and examine information system activity; and implementing regular reviews of information system activity and encrypting ePHI in transit and at rest to guard against unauthorized access, among other risk mitigation basics.
ON THE RECORD
"In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs," said OCR acting Director Anthony Archeval in a statement. "Allowing unrestricted access to patient health information can create an attractive target for a malicious insider."
Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.
