On June 15, 2023, the Department of Health and Human Services Office for Civil Rights (OCR) announced a HIPAA settlement with Yakima Valley Memorial Hospital. The Hospital came under fire when it was discovered that several security guards were improperly accessing patient medical files.
The Details
OCR initiated its investigation into Yakima in May 2018 after receiving a breach notification report that 23 security guards used their login credentials to access patient electronic protected health information (ePHI). The security guards allegedly accessed files containing names, dates of birth, medical record numbers, addresses, treatment notes, and insurance information of 419 patients.
To resolve the matter with OCR, Yakima agreed to pay a $240,000 HIPAA fine, adopt a corrective action plan, and is subject to OCR monitoring for two years.
To prevent similar incidents from occurring in the future, Yakima must:
- Conduct an accurate and thorough security risk assessment
- Develop and implement a risk management plan
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures
- Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place
When commenting on the incident, OCR Director Melanie Fontes Rainer stated, “Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
How This Incident Could Have Been Prevented
Breaches, such as the one that occurred at Yakima, are easily preventable when organizations implement an effective HIPAA compliance program. The security guards working for Yakima should have never had access to patient files in the first place. HIPAA requires access to PHI to be limited to only those that require access to perform their job duties. To enforce this, organizations must implement policies and procedures, train employees, and adopt access and audit controls.
HIPAA Policies and Procedures
HIPAA policies and procedures ensure that organizations implement measures to limit access to data, have systems in place to secure data, and have a process for reporting breaches. HIPAA policies and procedures must be designed for a specific organization to ensure that they account for nuances in their business.
Employee HIPAA Training
Employees’ lack of training is one of the leading causes of healthcare breaches. When employees don’t understand how to access patient information appropriately, it can lead to a breach. Lack of cybersecurity training can also lead to healthcare phishing incidents. All employees with the potential to access PHI must receive annual HIPAA training that covers the organization’s policies and procedures, HIPAA basics, and cybersecurity best practices.
Access and Audit Controls
Access controls limit access to data using unique login credentials. With unique login credentials, different levels of access to ePHI can be set for various job roles. Audit controls monitor access to ePHI based on unique login credentials. This allows organizations to track who is accessing what information easily, and allows for improper access to ePHI to be identified quickly.
