Memorial Healthcare Systems (MHS) offers the U.S. Department of Health and Human Services (HHS) the sum of $5 .5 million to clear up prospective transgression of the Medical Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Guidelines and additionally consented to put into effect a highly effective corrective action plan. MHS is a nonprofit establishment that manages six hospitals, an urgent care facility, a nursing home, including a range of ancillary health care centers in every area of the South Florida vicinity. MHS is as well associated with healthcare professional offices via an Organized Health Care Arrangement (OHCA).
MHS disclosed to the HHS Office for Civil Rights (OCR) that the protected health information (PHI) of 115,143 persons had previously been impermissibly reached by a number of staff members and also impermissibly reported to associated healthcare professional office personnel. These records consisted of the seriously affected individuals’ names, dates of birth, not to mention social security numbers. The sign on the identification of past personnel of an associated physician’s office was employed to gain access to the ePHI handled by MHS on a day-to-day basis without detection from April 2011 to April 2012, which affects 80,000 men and women. Even though it had workforce access policies and strategies in place, MHS was unable to instigate techniques with reference to reviewing, modifying and/or terminating users’ right of access, as demanded by the HIPAA Guidelines. Additional, MHS was incapable to frequently assess data records of information system activity on applications that maintained electronically secured health information by employees users and users at associated physician practices, even with acknowledged this associated risk on numerous HIPAA risk analyses conducted by MHS from 2007 to 2012.
Access to ePHI should always be available to only certified people, which includes associated health care professionals office staff” declared Robinsue Frohboese, Acting Directo, HHS Office for Civil Right. “Further, corporations will need to execute audit controls and also examine audit logs consistently. Because this case shows, a lack of access controls and regular review of audit logs facilitates hackers or possibly malevolent insiders to take care of their electronic trails, which makes it challenging for protected establishments and business affiliates to not just recoup from breaches, nonetheless to protect against them before they ensue.”