HHS Reports $800K Settlement with Health Care System for HIPAA Security Rule Violations
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced an $800,000 settlement with BayCare Health System for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Wednesday settlement ends an OCR investigation into whether unauthorized access to an individual's electronic protected health information (ePHI) occurred at the Florida provider.
Sign up for a free preview to unlock the rest of this article
OCR launched an investigation after receiving a complaint in October 2018 alleging that a BayCare patient received an unknown message containing photos of physical and digital copies of medical records, HHS said. OCR's investigation discovered that a former BayCare staffer retained access to the company's electronic medical records, it added.
In addition, the investigation found BayCare failed to implement policies and procedures for authorizing access to ePHI in compliance with the HIPAA Security Rule; failed to reduce risks and vulnerabilities in its system; and failed to regularly review activity within information systems. Along with the monetary penalty, BayCare must conduct a risk analysis, develop and implement a risk management plan, revise polices relating to Security Rule compliance and train employees with access to ePHI.
“In an era of hacking and ransomware attacks, HIPAA-regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval.