In January 2017, the U.S. Department of Health & Human Services (HHS) released a newsletter entitled “Understanding the Importance of Audit Controls.” Shortly after its release, HHS announced a $5.5 Million settlement, one of the largest reported settlement payments to date for violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The case involved Memorial Healthcare System (MHS), a nonprofit healthcare system that operated multiple hospitals, an urgent care center, a nursing home, and other ancillary healthcare facilities throughout Florida. Due to MHS’ reported failure to adequately implement appropriate procedures to safeguard its patients’ protected health information (PHI) or to properly review its information systems’ activities, up to 14 MHS employees impermissibly accessed patients’ PHI, including patients’ names, dates of birth and social security numbers, some of which was illegally sold. In certain instances, former employees obtained patient PHI using login credentials that remained active after their employment had terminated. In total, the PHI of 115,000 individuals was compromised.
In addition to the multi-million dollar settlement payment, MHS must implement an extensive corrective action plan, and revise policies and procedures to require regular auditing of security systems as well as the establishment and termination of access to patients’ PHI.
By coupling the issuance of the newsletter with the announcement of a significant settlement agreement, HHS is sending a strong message to Covered Entities and their Business Associates who are covered by HIPAA as to the expectations for establishing and implementing effective audit controls to protect their patients’ PHI.
For assistance in establishing or carrying out audits of information system controls of PHI, please contact Indiana healthcare law attorney Ted Barron at rbarron@KDDK.com or (812) 423-3183, or contact any member of KDDK’s healthcare law practice group.
About the Author
Robert F. “Ted” Barron is a member of KDDK’s healthcare law practice group. He counsels numerous health care clients including hospitals, joint ventures, surgery centers, physicians, physician groups, rehabilitation centers, and mental health centers on contractual matters, regulatory and compliance issues, various operational matters and employment issues.