privacy breach washington

Privacy Breach Fallout: Washington Hospital Slapped with $240,000 HIPAA Penalty for Unauthorized Access to Medical Records

July 3, 2023

Yakima Valley Memorial Hospital, formerly known as Virginia Mason Memorial Hospital, faces a $240,000 monetary penalty after alleged data snooping claims involving security guards. The Washington-based hospital also agreed to update its policies and procedures as part of its corrective action plan.

Following the snooping incident, the HHS Office of Civil Rights (OCR) investigated several security guards from Yakima Valley Memorial Hospital who allegedly accessed the medical records of 419 patients. This clearly violates the HIPAA Privacy Rule, which protects patients’ protected health information (PHI) from unauthorized access.

In a statement by OCR Director Melanie Fontes Rainer, she said that “Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

In Related News: Medical Records Breach Ends in $240,000 Settlement

hipaa investigation settlement

Breach Discovery: Unauthorized Access to Medical Records

Following a privacy breach notification, the OCR launched an investigation in May 2018 involving several security guards from the Yakima Valley Memorial Hospital. As it turns out, 23 security personnel, who were then assigned to the emergency room department, used their login credentials to access confidential patient medical records stored in the hospital’s electronic medical records (EMR) system. The OCR discovered that the compromised information included the patient names, birth dates, medical record numbers, addresses, specific treatment notes, and insurance details.

Investigation Findings: Widespread Snooping

After receiving the initial complaint about the alleged snooping, the OCR launched an investigation. The findings have shown that a group of security guards committed a widespread snooping on the hospital’s confidential electronic medical records. Furthermore, the hospital failed to establish strict controls to prevent staff or non-medical personnel from accessing sensitive patient information, especially when it’s not part of their work scope.

In response, the not-for-profit hospital and the OCR reached a settlement agreement. The Washington-based hospital voluntarily agreed to pay $240,000 as a form of settlement. On top of that, the hospital must also carry out a corrective action plan, which includes performing a comprehensive risk analysis and having its staff undergo a comprehensive HIPAA compliance training program.

hipaa violation case

HIPAA Violations Uncovered: Hospital’s Failure to Implement Policies

Failure to abide by the Privacy, Security, and Breach Notification Rules is considered a HIPAA violation. Usually, this happens when a medical provider or unauthorized entity wrongfully uses or discloses PHI without the patient’s consent.

HIPAA violations can be categorized as administrative, civil, or criminal. The former applies to providers using the wrong codes on a claims transaction. Meanwhile, denying the patient or personal representative access to their PHI is considered a civil violation. A data privacy breach also falls under civil HIPAA violations. Those who unknowingly disclosed PHI may be subject to criminal violations.

To determine a HIPAA-related violation, the HHS Office for Civil Rights (OCR) investigates all reported breaches of the PHI of 500 people or more. According to OCR’s latest HIPAA enforcement action, the amount of settlement and penalty lies in the complexity of the HIPAA violation.

Privacy Breach Fallout: Washington Hospital Slapped with $240,000 HIPAA Penalty for Unauthorized Access to Medical Records

Settlement With OCR Ends in Voluntary Resolution and $240,000 Penalty

Following the settlement resolution, Yakima Valley Memorial Hospital agreed to pay $240,000 as a monetary penalty. Furthermore, the OCR will monitor the hospital for two years to ensure its compliance with the HIPAA Security Rule. The Washington-based hospital must also take the following measures as part of its corrective action policy.

Here are some of the actions that the Yakima Valley Memorial Hospital must need to establish:

  • Perform a thorough risk analysis to determine any potential risks to ePHI
  • Develop a risk management plan to mitigate identified vulnerabilities
  • Maintain or revise security measures compliant with the HIPAA policies and procedures
  • Review all partnerships with third-party service providers and obtain appropriate business associate agreements, if there is none in place
  • Conduct employee training to increase awareness of the existing HIPAA regulations and hospital security policies

The final settlement took immediate effect last May 15, 2023. If the HHS approves its policies, the hospital will send an implementation report after 120 days. Their staff will also undergo training to ensure a successful implementation. After this, the hospital will submit an annual report that shows the current status of its staff training and security measures.

This Washington hospital data privacy breach violation marks the 6th OCR HIPAA enforcement action of 2023.

Kent CaƱas

Kent is a content strategist currently specializing in HIPAA-compliant online fax. Her expertise in this field allows her to provide valuable insights to clients seeking a secure and efficient online fax solution.

More great articles
hipaa violation audio recording
HIPAA Violation Audio Recording: Risks, Regulations, and Preventive Measures

Audio recording can be a powerful tool in healthcare. Here's how to avoid HIPAA violations when recording discussions between patients…

Read Story
vmware aria vulnerability
Cyber Attackers Exploit Vulnerabilities in VMware Aria Operations for Networks

VMware made an alarming announcement confirming an exploitedĀ vulnerability on VMware Aria Operations for Networks.

Read Story
Healthcare Business Associate Fined $75k for ePHI Breach
Healthcare Business Associate Fined $75k for ePHI Breach

In aĀ recent settlement, iHealth Solutions, LLC, a Kentucky-based HIPAA business associate, paid $75,000 for potential HIPAA violations.

Read Story
Subscribe to iFax Newsletter
Get great content to your inbox every week. No spam.

    Only great content, we donā€™t share your email with third parties.
    Arrow-up