[BreachExchange] $5.5 Million HIPAA Settlement Shines Light on Importance of Audit Controls

[Audrey McNeil]

https://www.insurancenewsnet.com/oarticle/5-5-million-
hipaa-settlement-shines-light-on-importance-of-audit-controls

Memorial Healthcare Systems (MHS) has paid the U.S. Department of Health
and Human Services (HHS) $5.5 million to settle potential violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy
and Security Rules and agreed to implement a robust corrective action plan.
MHS is a nonprofit corporation which operates six hospitals, an urgent care
center, a nursing home, and a variety of ancillary health care facilities
throughout the South Florida area. MHS is also affiliated with physician
offices through an Organized Health Care Arrangement (OHCA).

MHS reported to the HHS Office for Civil Rights (OCR) that the protected
health information (PHI) of 115,143 individuals had been impermissibly
accessed by its employees and impermissibly disclosed to affiliated
physician office staff. This information consisted of the affected
individuals' names, dates of birth, and social security numbers. The login
credentials of a former employee of an affiliated physician's office had
been used to access the ePHI maintained by MHS on a daily basis without
detection from April 2011 to April 2012, affecting 80,000 individuals.
Although it had workforce access policies and procedures in place, MHS
failed to implement procedures with respect to reviewing, modifying and/or
terminating users' right of access, as required by the HIPAA Rules.
Further, MHS failed to regularly review records of information system
activity on applications that maintain electronic protected health
information by workforce users and users at affiliated physician practices,
despite having identified this risk on several risk analyses conducted by
MHS from 2007 to 2012.

"Access to ePHI must be provided only to authorized users, including
affiliated physician office staff" said Robinsue Frohboese, Acting
Director, HHS Office for Civil Rights. "Further, organizations must
implement audit controls and review audit logs regularly. As this case
shows, a lack of access controls and regular review of audit logs helps
hackers or malevolent insiders to cover their electronic tracks, making it
difficult for covered entities and business associates to not only recover
from breaches, but to prevent them before they happen."

The Resolution Agreement and Corrective Action Plan may be found on the OCR
website at http://www.hhs.gov/hipaa/for-professionals/compliance-
enforcement/agreements/memorial

OCR offers helpful guidance on the importance of audit controls and audit
trails at https://www.hhs.gov/sites/default/files/january-2017-
cyber-newsletter.pdf - PDF

To learn more about non-discrimination and health information privacy laws,
your civil rights, and privacy rights in health care and human service
settings, and to find information on filing a complaint, visit us at
http://www.hhs.gov/hipaa/index.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170217/c0a4377c/attachment.html>