Employee snooping, lack of access controls earns $5.5 million HIPAA fine

The Office for Civil Rights (OCR) sent a $5.5 million message about the importance of audit and access controls in its latest HIPAA settlement, OCR announced February 16.

Memorial Healthcare Systems (MHS) in Hollywood, Florida, a nonprofit including six hospitals, an urgent care center, a nursing home, and ancillary healthcare facilities, submitted a breach report in 2012 after it discovered that approximately a dozen MHS employees inappropriately accessed the protected health information (PHI) of 80,000 individuals. The accessed information included:

• Dates of birth
• Names
• Social Security numbers

Employees used the login credentials of a former employee of an affiliated physician office to access PHI on a daily basis from April 2011 to April 2012. Some of these instances led to federal charges for selling PHI and filing fraudulent tax returns, according the resolution agreement.

OCR’s investigators discovered that although MHS had workforce access policies and procedures in place, they were not fully implemented. MHS did not review, modify, or terminate users’ access as required by HIPAA and did not audit activity logs on application that maintain PHI. MHS identified this risk in a number of risk analyses it conducted between 2007 and 2012, but failed to act.

OCR pointed out that poor access controls such as leaving the login credentials of former employees active and failure to audit activity logs not only leaves an organization vulnerable to breaches and theft of PHI by employees, but makes it an easy target for hackers.