The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) reported its issuance of a financial penalty to BayCare Health System. This Florida healthcare system agreed to pay an $800,000 financial penalty to resolve its HIPAA violation case and follow a corrective action plan. OCR BayCare Health’s compliance for two years. Generally, OCR investigates reported data breaches involving at least 500 individuals to evaluate HIPAA compliance. In this case, OCR started the investigation in October 2018 after receiving a patient complaint regarding unauthorized access to her printed and electronic health records (EHR) while visiting BayCare Health’s St. Joseph Hospital in Tampa, Florida. After her treatment, the woman reported that an unknown person contacted her and showed pictures of her medical documents. She likewise saw a video scrolling through her EHR on a computer screen.
OCR’s investigation confirmed that a malicious insider accessed her protected health information (PHI). Access to the electronic medical record system requires credentials to view patient records. OCR traced the unauthorized access to a non-clinical ex-staff member of a doctor’s practice. That person was given access to electronic health records for continuing patient care.
OCR determined that BayCare Health failed in implementing HIPAA Privacy Rule guidelines and procedures on granting access to electronic protected health information (ePHI), including the restriction of ePHI access to the minimum required data. BayCare Health also failed in properly managing risks by not applying enough security procedures to lower risks and vulnerabilities to an acceptable level. BayCare Health failed to implement guidelines and procedures for the regular monitoring of activity logs in data systems.
When BayCare Health received notifications regarding the results of the investigation, OCR allowed the covered entity to resolve the alleged HIPAA violations informally. BayCare Health agreed to a settlement without admitting wrongdoing or liability. In addition to paying a financial penalty, the covered entity needed to follow a corrective action plan. This plan requires conducting a complete and proper risk analysis, creating and implementing a risk management plan to minimize risks and vulnerabilities to ePHI to an acceptable level, and ensuring HIPAA compliance. The workforce should be updated with new HIPAA policies and procedures and receive HIPAA training.
With the increase of hacking incidents and ransomware attacks, HIPAA-covered entities must ensure that employees and any entity with access to electronic medical records are restricted to accessing only the health data they need to accomplish their tasks. Permitting unrestricted access to ePHI attracts the attention of malicious insiders that could lead to the compromise of PHI.