Faegre Drinker Biddle & Reath LLP, a Delaware limited liability partnership | This website contains attorney advertising.
February 22, 2017

Costly Failure to Safeguard Protected Health Information from Unauthorized Staff

Key Takeaways

  • $5.5 million payment– tied for the highest HIPAA settlement amount
  • Important to review audit reports and trails for suspicious activity and maintain access controls

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) has kept up its rapid and aggressive enforcement of the Health Insurance Portability and Accountability Act (HIPAA) with another sizeable settlement. South Broward Hospital District, operating as Memorial Healthcare Systems (MHS), paid OCR $5.5 million to settle potential violations of HIPAA and agreed to a three-year corrective action plan. MHS is the third largest public health care system in the nation and it holds the spot for the third OCR HIPAA settlement and fourth HIPAA action of 2017.

On April 12, 2012, MHS reported to HHS that two of its employees inappropriately accessed protected health information (PHI), including patient names, dates of birth, and social security numbers. After an internal investigation, MHS discovered impermissible access by 12 users at affiliated physician offices that potentially affected another 105,646 individuals. According to the resolution agreement, some of the instances of impermissible access led to federal charges relating to the selling of protected health information and filing fraudulent tax returns.

Despite MHS having identified the risk on several occasions before the privacy breach occurred, OCR’s investigation revealed that MHS impermissibly provided access to PHI to a former employee of an affiliated physician’s office which resulted in the impermissible disclosure of PHI of 80,000 individuals. In addition to this violation of the HIPAA Privacy Rule, OCR also determined that MHS failed to implement procedures to regularly review records of information system activity and failed to implement policies and procedures that establish, document, review and modify a user’s right of access to electronic PHI (ePHI) as required by the HIPAA Rules.

This large breach and settlement serves as a reminder of the importance for covered entities and business associates to use and review audit logs and audit trails that provide information on which users are accessing what types of PHI in order to stop suspicious system activities.

If you have any questions about this settlement or HIPAA compliance, please contact any member of Drinker Biddle’s Health Care Team or Information Privacy, Security and Governance Team.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Related Industries

The Faegre Drinker Biddle & Reath LLP website uses cookies to make your browsing experience as useful as possible. In order to have the full site experience, keep cookies enabled on your web browser. By browsing our site with cookies enabled, you are agreeing to their use. Review Faegre Drinker Biddle & Reath LLP's cookies information for more details.