Resolution Agreement: Yakima Valley Memorial Hospital (May 15, 2023); HHS Press Release (June 15, 2023)
HHS has announced a resolution agreement between the Office for Civil Rights (OCR) and a not-for-profit community hospital to settle alleged violations of HIPAA’s privacy and security rules. OCR opened the investigation after a breach notification report indicated that 23 security guards in the emergency department used their login credentials to impermissibly access 419 patient medical records stored on the electronic medical record system. The investigation indicated that the security guards did not need to access electronic private health information (ePHI) to perform their jobs.
The resolution agreement requires a $240,000 settlement payment and compliance with a two-year corrective action plan (CAP). Under the CAP, the hospital must submit the following for HHS’s review and approval to ensure compliance with HIPAA: (1) conduct an enterprise-wide analysis of security risks and vulnerabilities; (2) develop an enterprise-wide Risk Management Plan to identify and mitigate security risks; (3) develop, maintain, and revise written policies and procedures to comply with HIPAA and distribute them to all workforce members with access to PHI; (4) augment existing privacy and security training programs to include instructions on HIPAA policies and procedures; and (5) review relationships and vendors to identify business associates and obtain business associate agreements if needed. The hospital must also investigate failures to comply with policies and procedures and report any material failure to HHS.
EBIA Comment: This resolution agreement illustrates the importance of evaluating the roles of all workforce members to determine which individuals should have access to PHI, and which ones should not. The HHS press release cautions that data breaches by current and former workforce members impermissibly accessing PHI is a recurring issue for HIPAA covered entities. Health plans should ensure that workforce members only have access to PHI as necessary to perform their jobs. HIPAA covered entities need to regularly monitor workforce members, and should periodically revisit their risk analysis, risk management plan, business associate agreements, policies and procedures, and training. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections II.M (“How the Privacy & Security Rules Affect Group Health Plans and Plan Sponsors”), XX.D (“Resolution Agreements”), XXIII.F (“Applying the HIPAA Privacy and Security Rules to Group Health Plans and Their Sponsors”), XXIV.F (“HIPAA Audits”), XXV.H (“Breach Planning and Response”), XXX.F (“Policies and Procedures, Documentation Requirements”), and XXXI.E (“Problems Relating to HIPAA Security”).
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
