Last month, Memorial Healthcare System (MHS) agreed to implement a comprehensive corrective action plan and pay a 5.5-million-dollar settlement for the breach of protected health information (PHI) that affected over 100,000 individuals. This is the second largest fine against a covered entity to date, sending a strong message that audit controls will be a key focus for the future. (1)
According to the U.S. Department of Health and Human Services, the login credentials of a former employee from an affiliated MHS doctor’s office were used to access patient information without detection from 2011 to 2012. The information retrieved included patient names, dates of birth, and social security numbers. (1)
MHS is a nonprofit that operates multiple hospitals, an urgent care center, a nursing home, and ancillary healthcare facilities across South Florida. MHS is also affiliated with doctor’s offices through an Organized Health Care Arrangement. The participation in an OHCA enables covered entities to affiliate themselves with additional physicians’ offices in the community, requiring employees from those offices to have access to patient records company-wide.
Further investigation of the breach, uncovered that information obtained through the inappropriate access of PHI resulted in federal criminal charges including selling patient information and filing fraudulent tax returns. Though MHS had the appropriate policies and procedures in place, they failed to regularly review, modify and terminate users’ access, as required by HIPAA. MHS also failed to review records of activity by workforce users and affiliated practices, despite having identified this as a risk. (1)
According to HHS Office for Civil Rights, access to ePHI must be provided only to authorized users, including affiliated physician office staff. Organizations must implement audit controls and review audit logs regularly to prevent the breach of patient’s health information. (1)
Below are some valuable safety measures to consider when it comes to the protection of patient information and HIPAA compliance (2):