In a record-breaking year for HIPAA fines, the HHS doesn’t seem to be slowing down. The HHS announced that they have reached a settlement with the City of New Haven, Connecticut for HIPAA violations. The HIPAA violation occurred as a result of the New Haven Health Department’s failure to revoke access to their systems after terminating an employee. More details about the unauthorized access to PHI and settlement are discussed.
New Haven Health Department Unauthorized Access to PHI
In January 2017, the HHS’ Office for Civil Rights (OCR) received a breach report from the New Haven Health Department. They reported that a terminated employee had accessed the protected health information (PHI) of 498 patients. The employee in question returned to her former office eight days after she had been terminated and accessed what was her computer using her login credentials.
She then downloaded patient files onto her personal USB drive. The stolen files included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. She also shared her login credentials with an intern who continued to use the credentials to access New Haven’s systems after the employee had been fired.
Upon investigation into the incident, the OCR determined that New Haven had committed several HIPAA violations including failure to conduct an enterprise-wide risk analysis, implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.
The OCR settlement included a $202,400 fine, a corrective action plan, and two years of monitoring. OCR Director Roger Severino commented on the incident, “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”
HIPAA Compliance Prevents HIPAA Fines
When an organization is under investigation by the OCR, they ask the organization to prove that they have made a good faith effort to comply with HIPAA regulations. Organizations that have a documented effective HIPAA compliance plan are able to do so.
To achieve HIPAA compliance organizations must:
◈ Conduct annual self-audits, including an enterprise-wide risk analysis;
◈ Implement HIPAA policies and procedures, including what to do if an employee is terminated;
◈ Conduct annual employee training, including that employees should never share their login credentials, even with another employee;
◈ Vet business associates and have signed business associate agreements;
◈ Report incidents in accordance with the breach notification rule; and
◈ Document compliance efforts.
