The $5.5 million HIPAA settlement with Memorial Healthcare System highlights the need for audit controls to achieve HIPAA compliance.
In a press release issued February 16, the Office for Civil Rights (OCR) detailed the settlement case with Memorial Healthcare Systems (MHS). MHS must pay a $5.5-million-dollar fine and implement a corrective action plan created by the OCR.
The Reason for the HIPAA Settlement
From April 2011 to April 2012, a former employee’s login credentials were used to access ePHI maintained by MHS without detection. This affected approximately 80,000 individuals as the access occurred on a daily basis.
MHS had policies in place to review and terminate access for employees who left the organization, but failed to actually implement those policies and procedures when many employees left. Consequently, a total of 115,143 patients had their ePHI accessed and disclosed without authorization: a major HIPAA violation!
Remember: Audit Controls are a legal standard, so they must be implemented for HIPAA compliance.
Additionally, MHS failed to review audit logs of system activity. This specific procedure was identified as potential risk to the organization multiple times from 2007 to 2012 during several risk analyses.
With MHS failing to implement safeguards for identified risks, the organization now has to pay a very large fine.
Not all people trying to access ePHI illegally reside outside of the organization. It can be easy to think that the biggest problem is a hacker sitting at a computer halfway across the world. Often, the biggest threat is an insider who doesn’t understand the regulations or who may have decided the information they could receive through their position would give them a larger profit. Even employees who have a business need for access to ePHI can misuse that access.
Start using HIPAAgps today to learn more about the required audit controls and other HIPAA standards. Protect your organization from devastating fines.