Government & Policy

Memorial Healthcare System pays $5.5 million to settle HIPAA suit over lack of audit controls

The Health and Human Services Office for Civil Rights said more than 115,000 people had their PHI accessed and disclosed.
By Bernie Monegain
February 17, 2017
09:56 AM

Memorial Healthcare Systems has paid the U.S. Department of Health and Human Services $5.5 million to settle potential HIPAA violations. MHS executives also agreed to implement a robust corrective action plan.

The health system operates six hospitals, an urgent care center, a nursing home and a variety of ancillary healthcare facilities throughout South Florida. It is also affiliated with physician offices through an Organized Health Care Arrangement.

MHS reported to the HHS Office for Civil Rights that the protected health information of 115,143 individuals had been accessed by its employees and also disclosed to affiliated physician office staff. The information consisted of individuals’ names, dates of birth, and social security numbers.

The login credentials of a former employee of an affiliated physician’s office was used to access the ePHI on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals, according to OCR. Although it had workforce access policies and procedures in place, MHS failed to implement procedures for reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA rules.

Also, MHS failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices – even after having identified the risk on several risk analyses MHS conducted from 2007 to 2012.

“Access to ePHI must be provided only to authorized users, including affiliated physician office staff,” HHS Office for Civil Rights Acting Director Robinsue Frohboese said in a statement.

Organizations must implement audit controls and review audit logs regularly, she added, noting that the MHS case revealed a lack of access controls and regular review of audit logs, making it easier for hackers or malevolent insiders to cover their electronic tracks. 

Twitter: @Bernie_HITN
Email the writer: bernie.monegain@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn

Topics: 
Government & Policy, Privacy & Security

More regional news

Avihai Sodri of Antidote Health on telemedicine

How virtual-first can improve outcomes and make care more affordable

By
Bill Siwicki
November 12, 2024
Bird's eye view of Nashville during the day

Oracle seeks to address health disparities with new collaborative

By
Andrea Fox
November 12, 2024
Returning service member with daughter

HIMSS launches veterans health IT workforce program

By
Andrea Fox
November 11, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Bird's eye view of Nashville during the day
Oracle seeks to address health disparities with new collaborative

Most Read

NUH AI interprets spinal stenosis in '47 seconds' and more AI briefs
The Light Collective amplifies its call for patient data rights
Atrium Health responds to new social engineering attack
Clinical IT leaders on meeting CMS' mandate for patient data access
Epic and Oracle Health sign on to Veteran Interoperability Pledge
Vendor Notebook: New cybersecurity and EHR performance upgrades 

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Marjorie Rosen at HIMSS_Global Health Equity Week 2024
HIMSS chapters offer a powerful channel for healthcare advocacy
Anurag Mehta at Omega Healthcare_Physician working on laptop Photo by Dzonsli/E+/Getty Images
Clinician burnout can be reduced by virtual nursing
Adam Hutchinson at oVRcome_Images courtesy of oVRcome
How VR exposure therapy is helping patients overcome their phobias
Greg Garcia at Cybersecurity Working Group_Healthacre Cybersecurity Forum 2024
Cyberattacks are now at epidemic proportions

More Stories

Dr. Anmol Kapoor of CardiAI and BioAro on AI-enabled precision healthcare
AI-driven precision healthcare is here – what you need to know
Chris Harle, CIO of Regentrief Institute
Regenstrief Institute appoints a new chief information officer
Adam Hutchinson at oVRcome_Images courtesy of oVRcome
How VR exposure therapy is helping patients overcome their phobias
Stethoscope resting on tablet
HIMSSCast: Digital tools can leverage SDOH data and improve outcomes
Dr. Tim O'Connell of emtelligent on AI
Safe and equitable AI needs guardrails, from legislation and humans in the loop
Doctor and patient review clinical notes
Are genAI-produced visit summaries the future?
User authenticates laptop access on a mobile phone with required MFA
Google sets mandatory MFA deadline for all cloud accounts
Greg Garcia at Cybersecurity Working Group_Healthacre Cybersecurity Forum 2024
Cyberattacks are now at epidemic proportions