Procedures Count, Too: $5.5 Million Record-Tying HIPAA Penalty for Lack of Access Audits and Monitoring

Feb 22, 2017 | Blog

Memorial Healthcare System of Florida has learned a very expensive lesson in a settlement of a HIPAA penalty proceeding: Policies for access to medical information alone are insufficient to meet HIPAA requirements. A Covered Entity must have procedures in place to monitor access and compile reports. The $5.5 million settlement, announced in a Press Release issued on February 16, ties a record as the largest penalty ever levied by the Office for Civil Rights (OCR).

The Resolution Agreement notes that two employees of MHS accessed the personal information of at least 80,000 and as many as 105,646 individuals during an eighteen-month period. In a few of these instances, the Agreement notes, “federal charges relating to selling protected health information (PHI) and filing fraudulent tax returns” were filed.

OCR found that while MHS had policies governing access to PHI, it had not implemented procedures to “regularly review records of information system activity, such as audit logs and access reports,” as required by 45 C.F.R. § 164.308(a)(1)(ii)(D). There are products and technologies that can provide dashboards and alerts for unusual levels of PHI access, and many of them were developed after a spate of incidents in which hospital employees “snooped” into records of celebrities such as George Clooney, Kim Kardashian, Britney Spears and the late Farrah Fawcett, as well as hospital co-workers. According to OCR, MHS neither availed itself of those technologies nor instituted processes to monitor such unusual activity.

HIPAA penalties are growing almost exponentially, and many of the largest penalty settlements have stemmed from breaches and unauthorized disclosures by Covered Entity employees. OCR shows little patience with such incidents, which may be on the rise, and its aggressive enforcement with regard to such HIPAA violations shows no signs of abatement. Covered Entities (healthcare providers or health plans) and their Business Associates should review their procedures to make sure they comprise audits and monitoring of  those who access PHI. Failing to do so can be very expensive.

If you require assistance with health information management assessment and process compliance, please contact Kenneth N. Rashbaum.