Settlement Reached in HIPAA Security Rule Violation Case with BayCare Health System
Recently, the Office for Civil Rights in the U.S. Department of Health and Human Services announced a settlement with BayCare Health System based in Tampa, Florida, regarding potential violations of the HIPAA Security Rule. The settlement, totaling $800,000, comes after an OCR investigation into unauthorized access to a patient’s electronic protected health information (ePHI) at BayCare.
Background of the Case
The OCR received a complaint in October 2018 from a patient who alleged that an unknown individual had accessed her medical records without authorization. The investigation revealed that the credentials used to access the complainant’s medical record belonged to a former non-clinical staff member of another physician’s practice with access to BayCare’s electronic medical records.
Violations of the HIPAA Security Rule
BayCare was found to have potentially violated multiple HIPAA Security Rule requirements, including the failure to implement policies and procedures for authorizing access to ePHI in line with the HIPAA Privacy Rule. Additionally, the health system did not adequately reduce risks and vulnerabilities to ePHI or regularly review records of information system activity.
Terms of the Settlement
As part of the settlement, BayCare agreed to pay $800,000 to OCR and implement a corrective action plan that will be monitored for two years. The provider must conduct a comprehensive risk analysis to identify potential risks to the confidentiality, integrity, and availability of ePHI. They are also required to develop a risk management plan, revise policies to comply with HIPAA Rules, and provide training on HIPAA policies and procedures to staff members with access to ePHI.
Importance of Protecting ePHI
OCR has been active in investigating and settling cases involving violations of the HIPAA Privacy and Security Rules. The Security Rule is undergoing updates to enhance protections for patients’ ePHI. Covered entities are urged to take steps to safeguard ePHI, including understanding its flow within the organization, integrating risk analysis and management, implementing audit controls, and encrypting ePHI to prevent unauthorized access.
Statement from OCR Acting Director
OCR acting Director Anthony Archeval emphasized the importance of limiting access to patient health information to ensure security against insider threats. In a statement, he highlighted the risks of allowing unrestricted access to ePHI in an era of hacking and ransomware attacks.
Healthcare IT News is a HIMSS publication. For more information, contact the writer: mike.miliard@himssmedia.com
