privacy breach washington

Privacy Breach Fallout: Washington Hospital Slapped with $240,000 HIPAA Penalty for Unauthorized Access to Medical Records

July 3, 2023

Yakima Valley Memorial Hospital, formerly known as Virginia Mason Memorial Hospital, faces a $240,000 monetary penalty after alleged data snooping claims involving security guards. The Washington-based hospital also agreed to update its policies and procedures as part of its corrective action plan.

Following the snooping incident, the HHS Office of Civil Rights (OCR) investigated several security guards from Yakima Valley Memorial Hospital who allegedly accessed the medical records of 419 patients. This clearly violates the HIPAA Privacy Rule, which protects patients’ protected health information (PHI) from unauthorized access.

In a statement by OCR Director Melanie Fontes Rainer, she said that “Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

In Related News: Medical Records Breach Ends in $240,000 Settlement

hipaa investigation settlement

Breach Discovery: Unauthorized Access to Medical Records

Following a privacy breach notification, the OCR launched an investigation in May 2018 involving several security guards from the Yakima Valley Memorial Hospital. As it turns out, 23 security personnel, who were then assigned to the emergency room department, used their login credentials to access confidential patient medical records stored in the hospital’s electronic medical records (EMR) system. The OCR discovered that the compromised information included the patient names, birth dates, medical record numbers, addresses, specific treatment notes, and insurance details.

Investigation Findings: Widespread Snooping

After receiving the initial complaint about the alleged snooping, the OCR launched an investigation. The findings have shown that a group of security guards committed a widespread snooping on the hospital’s confidential electronic medical records. Furthermore, the hospital failed to establish strict controls to prevent staff or non-medical personnel from accessing sensitive patient information, especially when it’s not part of their work scope.

In response, the not-for-profit hospital and the OCR reached a settlement agreement. The Washington-based hospital voluntarily agreed to pay $240,000 as a form of settlement. On top of that, the hospital must also carry out a corrective action plan, which includes performing a comprehensive risk analysis and having its staff undergo a comprehensive HIPAA compliance training program.

hipaa violation case

HIPAA Violations Uncovered: Hospital’s Failure to Implement Policies

Failure to abide by the Privacy, Security, and Breach Notification Rules is considered a HIPAA violation. Usually, this happens when a medical provider or unauthorized entity wrongfully uses or discloses PHI without the patient’s consent.

HIPAA violations can be categorized as administrative, civil, or criminal. The former applies to providers using the wrong codes on a claims transaction. Meanwhile, denying the patient or personal representative access to their PHI is considered a civil violation. A data privacy breach also falls under civil HIPAA violations. Those who unknowingly disclosed PHI may be subject to criminal violations.

To determine a HIPAA-related violation, the HHS Office for Civil Rights (OCR) investigates all reported breaches of the PHI of 500 people or more. According to OCR’s latest HIPAA enforcement action, the amount of settlement and penalty lies in the complexity of the HIPAA violation.

Privacy Breach Fallout: Washington Hospital Slapped with $240,000 HIPAA Penalty for Unauthorized Access to Medical Records

Settlement With OCR Ends in Voluntary Resolution and $240,000 Penalty

Following the settlement resolution, Yakima Valley Memorial Hospital agreed to pay $240,000 as a monetary penalty. Furthermore, the OCR will monitor the hospital for two years to ensure its compliance with the HIPAA Security Rule. The Washington-based hospital must also take the following measures as part of its corrective action policy.

Here are some of the actions that the Yakima Valley Memorial Hospital must need to establish:

  • Perform a thorough risk analysis to determine any potential risks to ePHI
  • Develop a risk management plan to mitigate identified vulnerabilities
  • Maintain or revise security measures compliant with the HIPAA policies and procedures
  • Review all partnerships with third-party service providers and obtain appropriate business associate agreements, if there is none in place
  • Conduct employee training to increase awareness of the existing HIPAA regulations and hospital security policies

The final settlement took immediate effect last May 15, 2023. If the HHS approves its policies, the hospital will send an implementation report after 120 days. Their staff will also undergo training to ensure a successful implementation. After this, the hospital will submit an annual report that shows the current status of its staff training and security measures.

This Washington hospital data privacy breach violation marks the 6th OCR HIPAA enforcement action of 2023.

More great articles
data theft in healthcare
TimisoaraHackerTeam Ransomware Group Strikes U.S. Cancer Center in Devastating Attack

The recent U.S. cancer center ransomware attack warns fellow medical facilities and network defenders that the THT group is still…

Read Story
Is Google Drive HIPAA compliant
Is Google Drive HIPAA Compliant?

Using HIPAA-compliant digital tools is a must for anyone handling sensitive patient information. Given the rise in healthcare data breaches,…

Read Story
hipaa violation background checks
How HIPAA Violations and Updates Affect Background Checks

Many employees wonder whether a HIPAA violation background check would tarnish their records. This article will explore the relationship between…

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we don’t share your email with third parties.