The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) has announced another settlement for alleged violations of HIPAA. OCR investigated BayCare Health System, which serves central Florida, after a patient complained to OCR in 2018 that her medical record was accessed by an unauthorized individual.
The patient told OCR that she was contacted by an unknown individual who was in possession of her medical records and showed her photographs of her printed medical record, as well as video recordings of her electronic medical record (EMR) on a computer screen. OCR’s investigation confirmed that the individual was a “malicious insider” who was a former employee of an affiliated physician practice. The physician practice was given access to BayCare’s EMR system for purposes of continuity of care for patients who were treated by both of the covered entities.
OCR concluded that BayCare failed to implement adequate HIPAA policies and procedures, failed to reduce risks and vulnerabilities of its EMR system, and failed to regularly review activity logs as to who was accessing its systems. BayCare settled the case with OCR by agreeing to pay a $800,000 monetary penalty and to implement a corrective action plan which includes updating its HIPAA policies and procedures and retraining its workforce on HIPAA compliance.
As part of the settlement announcement, OCR reminded all covered entities that HIPAA requires administrative, physical and technical safeguards to be put into place in order to protect the privacy and security of electronic medical records. In addition, access to records should be limited to the minimum necessary information that is needed by authorized individuals. Complying with these HIPAA requirements minimizes the risk of being targeted by a malicious actor, such as in the BayCare case.
