The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced Friday a settlement with BayCare Health System, a prominent Florida-based healthcare provider. The agreement resolves an investigation into several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, stemming from unauthorized access to a patient’s electronic protected health information (ePHI) by a malicious insider.
BayCare Health System has agreed to pay $800,000 and implement a comprehensive two-year corrective action plan to address the identified vulnerabilities and enhance its data security practices.
READ: HHS Terminates Moderna Bird Flu Vaccine Contract Amid mRNA Technology Reevaluation
The OCR investigation commenced in October 2018 following a complaint from a patient who, after receiving treatment at a BayCare facility, was contacted by an unknown individual. This individual possessed photographs of the patient’s printed medical records and a video showing someone scrolling through her medical records on a computer screen.
Investigators determined that the credentials used to access the patient’s records belonged to a non-clinical former staff member of a physician’s practice that had legitimate access to BayCare’s electronic medical records system for continuity of care purposes.
“In an era of hacking and ransomware attacks, HIPAA-regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
READ: Florida Cheers As HHS Announces CDC Drops mRNA Vaccines For Children, Pregnant Women
OCR’s investigation found potential violations of multiple HIPAA Security Rule requirements by BayCare, including:
- Failing to implement policies and procedures for authorizing access to ePHI consistent with the HIPAA Privacy Rule.
- Failing to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level.
- Failure to regularly review records of information system activity.
Under the terms of the settlement, BayCare will undertake a robust corrective action plan monitored by OCR. This plan includes:
- Conducting an accurate and thorough risk analysis to identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI.
- Developing and implementing a risk management plan to address and mitigate identified security risks.
- Revising its written policies and procedures as necessary to comply with HIPAA Rules.
- Training its workforce members who have access to ePHI on its updated HIPAA policies and procedures.
OCR also provided general recommendations for all HIPAA-covered entities – including health care providers, health plans, health care clearinghouses, and business associates – to better protect ePHI.
These include identifying ePHI locations, integrating risk analysis into business processes, ensuring audit controls and regular review of system activity, utilizing authentication mechanisms, encrypting ePHI where appropriate, incorporating lessons learned from incidents, and providing regular, role-specific HIPAA training to workforce members.
Please make a small donation to the Tampa Free Press to help sustain independent journalism. Your contribution enables us to continue delivering high-quality, local, and national news coverage.
Connect with us: Follow the Tampa Free Press on Facebook and Twitter for breaking news and updates.
Sign up: Subscribe to our free newsletter for a curated selection of top stories delivered straight to your inbox.
