On June 15, 2023, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement for $240,000 with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington.
In May 2018, OCR launched an investigation into Yakima Valley Memorial Hospital regarding allegations that multiple security guards from the hospital impermissibly accessed around 419 medical records of individuals in violation of the Health Insurance Portability and Accountability Act (HIPAA) regulations. Twenty-three security guards in the hospital used their hospital log-in credentials to access patient medical records maintained through an electronic medical record system without a job-related purpose. The information accessed by the security guards included names, dates of birth, addresses, medical record numbers, notes related to treatment, and information regarding insurance.
As a result of the settlement, Yakima Valley Hospital is required to implement corrective actions and will be monitored by the OCR for two years to ensure the hospital remains in compliance with the HIPAA Security Rule.
Next Steps for Yakima Valley Memorial Hospital:
Yakima Valley Memorial Hospital has agreed to take the following steps for corrective action:
- Develop and maintain written HIPAA procedures and policies.
- Enhance existing security training programs to provide information on updated HIPAA procedures and policies.
- Conduct a thorough risk analysis to determine vulnerabilities and risks to electronic protected health information and implement a risk management plan to mitigate and address identified security risks.
Key Takeaways
- HIPAA-covered entities must have robust procedures and policies in place to protect patient health information from identity theft and fraud.
- Internal threats can cause just as much damage as external threats to protected health information.
- Insider threats can be a result of negligent or careless workers, or the threats can emerge from disgruntled employees.
- Regardless of the intent of the threat, insider threats are likely to result in data breaches.
- Prioritize training employees with updated HIPAA procedures and policies.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html
Natasha Ganesh contributed to this article.
© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.