Recent Settlements Show that not Understanding HIPAA Compliance Creates Risk for Breach

By: Susan St. John

In the last few months, settlements related to potential violations of HIPAA and the Security Rule have ranged from $31,000 to $5.5 million. The smallest settlement amount, $31k, for potential HIPAA compliance breach violations related to one missing Business Associate Agreement (“BAA”) between a pediatric group and an ePHI records storage company that had come under HHS’ Office of Civil Right’s (“OCR”) scrutiny. The pediatric group used the ePHI record storage company since 2003, yet could not locate or provide a signed BAA to the OCR prior to 2015. The outcome of the OCR’s compliance review indicates that internal risk analysis and risk management was not thoroughly undertaken.

The largest settlement reached was $5.5 million to be paid by Memorial Healthcare Systems (“MHS”) located in south Florida. MHS operates 6 hospitals, an urgent care center, a nursing home, and numerous ancillary healthcare facilities. Additionally, MHS is affiliated with physician offices through an Organized Health Care Arrangement. MHS experienced a breach that potentially compromised the ePHI of over 115,000 individuals, when impermissible access by its employees and impermissible disclosure to affiliated physicians occurred through the use of the login credentials of an affiliated physician’s former employee. Although MHS reported the breach and had policies and procedures in place related to HIPAA and the Security Rule, it had not implemented procedures for reviewing, modifying, and/or terminating users’ rights of access as required by HIPAA. Further, MHS failed to regularly review records of information system activity, in applications that maintain ePHI, by employees or workforce users or users at affiliated physician practices, even though MHS had identified such risk during risk analysis conducted from 2007 to 2012.Continue reading