On June 15, the US Department of Health and Human Services Office for Civil Rights (OCR) announced a settlement with the not-for-profit community hospital, Yakima Valley Memorial Hospital. The settlement followed a significant HIPAA privacy breach by the hospital’s security guard staff, impacting 419 individuals. This breach, violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA), marks an unprecedented HIPAA scandal in the healthcare industry.
HIPAA Rules and Regulations: The Framework for a Privacy Breach
The HIPAA Privacy, Security, and Breach Notification Rules are required protocols that HIPAA-regulated providers and their organizations must follow to ensure the safekeeping of health information. In its commitment to resolving an issue involving its security guards, Yakima Valley Memorial Hospital from Yakima, Washington, has agreed to pay $240,000 and put forth a plan to enhance its policies and workforce training to prevent future violations.
OCR Director Melanie Fontes Rainer’s Views on Data Breaches
Melanie Fontes Rainer, OCR Director, pointed out that data breaches involving unauthorized access to patient records by workforce members have occurred in other instances, creating a noteworthy issue in the healthcare industry. She explained the unprecedented HIPAA enforcement action in terms that draw attention to the issue for administrators to prevent similar occurrences in their respective settings.
Ms. Fontes Rainer explained:
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs.”
She added,
“HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
Under the Guise of Guarding: The Security Guard HIPAA Violation in Detail
In May 2018, OCR initiated an investigation into Yakima Valley Memorial Hospital after receiving a breach notification report. The report stated that 23 security guards from the hospital’s emergency department used their login credentials to access patient medical records without a job-related purpose. The accessed data included names, birth dates, medical record numbers, addresses, treatment-related notes, and insurance details, infringing patient privacy rights and leading to this HIPAA privacy breach.
Compliance Measures: Steps to Adhere to HIPAA Rules
As a part of the settlement agreement, Yakima Valley Memorial Hospital will be monitored by OCR for two years to guarantee compliance with the HIPAA Security Rule. The hospital will also take corrective steps to align their organization with the HIPAA Rules:
Perform an accurate and thorough risk analysis to identify risks and vulnerabilities to electronic protected health information (ePHI).
Develop and execute a risk management plan to address and mitigate the identified security risks and vulnerabilities.
Formulate, maintain, and revise, as necessary, its written HIPAA policies and procedures.
Amplify its existing HIPAA and Security Training Program to provide updated workforce training on HIPAA policies and procedures.
Review all relationships with vendors and third-party service providers to identify business associates and establish business associate agreements if they still need to be implemented.
Additional Resources
The resolution agreement and corrective action plan can be found here. OCR continues to enforce the HIPAA Rules that
