The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with BayCare Health System (BayCare), a Florida-based healthcare provider, regarding potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The agreement resolves an OCR investigation into a complaint alleging unauthorized access to a patient’s electronic protected health information (ePHI).

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which establish requirements for covered entities—including health plans, healthcare clearinghouses, and most healthcare providers—and their business associates to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule specifically outlines national standards for administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

“In an era dominated by cybersecurity threats and ransomware attacks, it’s crucial for HIPAA-covered entities to ensure that only authorized personnel access patient health information necessary to perform their duties,” said OCR Acting Director Anthony Archeval. “Unrestricted access can make sensitive health data vulnerable to internal threats.”

The investigation began in October 2018 following a complaint that a BayCare patient had been contacted by an unknown individual with photographs of her printed medical records and a video showing her records being accessed on a computer. OCR determined that the medical record had been accessed using the login credentials of a former, non-clinical employee of a physician’s practice affiliated with BayCare.

OCR’s findings indicated that BayCare potentially violated several provisions of the HIPAA Security Rule, including:

  • Failing to implement appropriate policies and procedures to authorize access to ePHI;

  • Not adequately reducing security risks and vulnerabilities to a reasonable level; and

  • Failing to regularly review information system activity logs.

As part of the settlement, BayCare agreed to pay $800,000 to OCR and implement a corrective action plan, which OCR will oversee for two years. Key requirements of the plan include:

  • Conducting a comprehensive risk analysis to identify threats to the confidentiality, integrity, and availability of ePHI;

  • Developing and executing a risk management strategy based on the analysis findings;

  • Updating policies and procedures to ensure HIPAA compliance; and

  • Providing HIPAA training tailored to workforce members’ roles and responsibilities.

OCR also urged all HIPAA-covered entities and business associates to strengthen ePHI security by:

  • Mapping the flow of ePHI within their systems and understanding how it enters, moves through, and exits their networks;

  • Embedding risk analysis and risk management into organizational operations;

  • Implementing robust audit controls and regularly reviewing system activity;

  • Using authentication mechanisms to limit ePHI access to authorized users;

  • Encrypting ePHI during transmission and storage where appropriate;

  • Incorporating lessons from past incidents into broader security practices; and

  • Offering regular, role-specific HIPAA training to all employees.

The full resolution agreement and corrective action plan are available at:
HHS HIPAA Enforcement Agreements