Memorial Healthcare System pays $5.5 million to settle HIPAA suit over lack of audit controls
Memorial Healthcare Systems has paid the U.S. Department of Health and Human Services $5.5 million to settle potential HIPAA violations. MHS executives also agreed to implement a robust corrective action plan.
The health system operates six hospitals, an urgent care center, a nursing home and a variety of ancillary healthcare facilities throughout South Florida. It is also affiliated with physician offices through an Organized Health Care Arrangement.
MHS reported to the HHS Office for Civil Rights that the protected health information of 115,143 individuals had been accessed by its employees and also disclosed to affiliated physician office staff. The information consisted of individuals’ names, dates of birth, and social security numbers.
The login credentials of a former employee of an affiliated physician’s office was used to access the ePHI on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals, according to OCR. Although it had workforce access policies and procedures in place, MHS failed to implement procedures for reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA rules.
Also, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices – even after having identified the risk on several risk analyses MHS conducted from 2007 to 2012.
“Access to ePHI must be provided only to authorized users, including affiliated physician office staff,” HHS Office for Civil Rights Acting Director Robinsue Frohboese said in a statement.
Organizations must implement audit controls and review audit logs regularly, she added, noting that the MHS case revealed a lack of access controls and regular review of audit logs, making it easier for hackers or malevolent insiders to cover their electronic tracks.