hipaa investigation settlement

Medical Records Breach Ends in $240,000 HIPAA Settlement: Hospital Security Guards Under Scrutiny

June 15, 2023

The United States Department of Health and Human Services Office for Civil Rights (OCR) recently struck a settlement with Yakima Valley Memorial Hospital, a general hospital based in Yakima, Washington. 

An investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was centered on claims that a group of security guards assigned to the hospital’s ER department had accessed the medical records of 419 patients without due authorization.

Medical Records Breach Ends in $240,000 HIPAA Settlement: Hospital Security Guards Under Scrutiny

HIPAA Investigation Settlement and Alleged Unauthorized Access to Medical Records

The HIPAA Privacy, Security, and Breach Notification Rules guidelines have a broad reach, impacting numerous healthcare organizations. These regulations lay forth necessary standards that HIPAA-regulated organizations must follow, including securing patient details from unauthorized access.

Yakima Valley Memorial Hospital has resolved the unauthorized access to medical records issue on its own initiative. The hospital agreed to pay a total of $240,000 in settlement. To further avoid future security lapses or unauthorized access to protected health information (PHI), they have also agreed to implement revised rules and processes and educate those staff who will be tasked with handling them.

Yakima Valley Memorial Hospital and the HIPAA Investigation

It was back in May 2018 that the OCR began investigating the hospital about the said allegation. It all started when they received a breach notification report highlighting the concerning issue. It turns out that 23 security guards employed in the hospital’s emergency department were using their login credentials to access patient medical records stored in the electronic medical record system. The troubling part was that they had no valid job-related reason to do so. The accessed information encompassed crucial details like names, dates of birth, medical record numbers, addresses, treatment-related notes, and insurance information.

OCR Director Melanie Fontes Rainer emphasized that the healthcare industry frequently faces data breaches resulting from current and former workforce members inappropriately accessing patient records. She highlighted the importance for healthcare organizations to establish strict controls that limit workforce members from accessing information beyond their scope of job responsibilities. Rainer also stressed that HIPAA-covered entities must have extensive policies and procedures in place to safeguard PHI effectively and prevent instances of identity theft and fraud.

Medical Records Breach Ends in $240,000 HIPAA Settlement: Hospital Security Guards Under Scrutiny

Settlement Details: Voluntary Resolution and Monetary Penalty

Aside from the $240,000 fine, the OCR will conduct a two-year monitoring period for Yakima Valley Memorial Hospital as part of a settlement agreement. Their compliance with the HIPAA Security Rule is to be ensured by this oversight. Also, Yakima Valley Memorial Hospital will implement several steps as part of its dedication to compliance, including carrying out a careful risk analysis to find any possible weak points in how they handle electronically protected health information (ePHI). 

Additionally, a risk management strategy will be created and implemented to address and minimize the risks of the security threats found. The hospital will also enhance its existing HIPAA and Security Training programs and educate its workforce on the updated policies and procedures. 

In addition, Yakima Valley Memorial Hospital will review its relationships with vendors and third-party service providers to identify business associates and establish appropriate business associate agreements if needed.

Medical Records Breach Ends in $240,000 HIPAA Settlement: Hospital Security Guards Under Scrutiny

Corrective Action Plan

A Corrective Action Plan for hospitals should include the following to protect patient privacy and prevent unauthorized access to PHI:

  1. Thorough risk analysis: Yakima Valley Memorial Hospital must commit to conducting a comprehensive and meticulous risk analysis to identify potential vulnerabilities in its management of electronic PHI. This analysis will provide valuable insights into existing risks and enable the development of targeted mitigation strategies.
  2. Risk management plan: Building upon the risk analysis findings, Yakima Valley Memorial Hospital must develop and implement a robust risk management plan. This plan will address and mitigate identified security risks, ensuring a proactive and systematic approach to safeguarding PHI.
  3. Written policies and procedures: The hospital acknowledges the significance of well-defined, up-to-date policies and procedures. As part of this, Yakima Valley Memorial Hospital must enhance its existing set of HIPAA policies and procedures. It is also imperative for these documents to be regularly reviewed, maintained, and revised to reflect the ever-evolving best practices and regulatory requirements.
  4. Workforce training program: Recognizing the vital role of its workforce in protecting PHI, Yakima Valley Memorial Hospital may also enhance its HIPAA and Security Training Program. This program will provide comprehensive training to all staff members, equipping them with the knowledge and skills needed to adhere to the updated policies and procedures.
  5. Vendor and third-party relationships: To ensure the utmost protection of PHI, Yakima Valley Memorial Hospital must thoroughly review its relationships with vendors and third-party service providers. This review aims to identify any business associates and establish appropriate business associate agreements, if not already in place. The hospital must enforce data security standards and regulatory compliance among its partners through these agreements.

Through these proactive measures, Yakima Valley Memorial Hospital can establish itself as a leader in data security and reaffirm its dedication to the highest standards of healthcare information protection.

Kent Cañas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
emailing protected health information
Emailing Protected Health Information: Risks, Best Practices

This article explores the significance of safely emailing protected health information (PHI) towards ensuring patient privacy.

Read Story
hipaa-compliant help desk software
5 Best HIPAA-Compliant Help Desk Software for Healthcare

Here's a list of the best HIPAA-compliant help desk software to help you protect healthcare data while avoiding compliance violations.

Read Story
4 Popular Trends in Sonographers Software and Ultrasound
4 Popular Trends in Sonographers Software and Ultrasound

The introduction of sonography has completely changed the face of modern medicine, to say the least. Healthcare professionals have been…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.