Memorial Healthcare Systems (MHS) paid the U.S. Department of Health and Human Services (HHS) $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules and agreed to implement a robust corrective action plan. The settlement underscores how expensive it can be to overlook implementation of policies and procedures, and failing to audit and monitor for compliance with them.

MHS reported to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 individuals had been impermissibly accessed by its employees and impermissibly disclosed to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by MHS on a daily basis without detection for a year, from April 2011 to April 2012. This lapse affected 80,000 individuals’ PHI. Although MHS had workforce access policies and procedures in place, it failed to implement procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. In addition, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by MHS from 2007 to 2012, a five (5) year period of time.

The Memorial Healthcare settlement is a reminder of the importance of having a HIPAA compliance plan with up-to-date policies and procedures, a system for auditing employees’ access to PHI, and promptly terminating that access when an employee leaves. The OCR is currently auditing both covered entities (healthcare providers) and their business associates for compliance with the HIPAA and HITECH privacy and security rules. As you can see from the MHS settlement, breach of these rules can result in stiff monetary penalties and could subject your organization to the rigors of a multi-year Resolution Agreement.

Sullivan Stolier Schulze & Grubb has assisted its clients with creating, implementing and updating HIPAA compliance plans as well as their overall compliance plans. If you have questions or would like to ensure that your policies and procedures are up to date and your organization is appropriately auditing and monitoring for HIPAA privacy and security compliance, contact us. We would be pleased to answer your questions and assist you as needed.