Baycare Health System in Clearwater, Florida, will pay $800,000 to the Department of Health and Human Services' Office for Civil Rights to settle allegations of potential HIPAA violations.
OCR investigated Baycare after it received a complaint in 2018 regarding impermissible access to the complainant's electronic protected health information.
The complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown person who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen.
The investigation determined that the credentials used to access the complainant's medical record belonged to a nonclinical former staff member of a physician's practice, which had access to BayCare's electronic medical records for the continuity of common patients' care.
WHAT'S THE IMPACT
Potential HIPAA violations include failing to implement policies and procedures for authorizing access to ePHI that are consistent with HIPAA; failing to reduce risks and vulnerabilities to ePHI to a reasonable, appropriate level; and failure to regularly review records of information system activity.
In addition to the $800,000, BayCare agreed to implement a corrective action plan that OCR will monitor for two years.
Under the corrective action plan, BayCare has agreed to conduct an accurate, thorough risk analysis; develop a risk management plan to address and mitigate security risks; revise its written policies and procedures to comply with the HIPAA Rules; and train its workforce that has access to ePHI on its HIPAA policies and procedures.
OCR had a number of general recommendations for healthcare providers and health plans. It advised organizations to identify where ePHI is located in the organization, including how ePHI enters, flows through and leaves the organization's information systems. It also suggested integrating risk analysis and risk management into the organization's business processes.
THE LARGER TREND
Further recommendations include ensuring audit controls are in place to record and examine information system activity, implementing regular reviews of information system activity, using mechanisms to authenticate information to ensure only authorized users are accessing ePHI, encrypting ePHI in transit and at rest, and providing the workforce with regular HIPAA training that is specific to the organization and to the workforce members' respective job duties.
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.