An official website of the United States government
Here’s how you know
Official websites use .gov A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
Snooping in Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement
Yakima Valley Memorial Hospital in Washington settles breach that affected 419 people
Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital located in Yakima, Washington resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals. HIPAA is a federal law that protects the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most health care organizations and set the requirements that HIPAA-regulated entities must follow to protect the privacy and security of health information. To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
In May 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report, stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.
As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. Yakima Valley Memorial Hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:
Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. If you believe that you or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.
For general media inquiries, please contact media@hhs.gov.
Content created by Office for Civil Rights (OCR) Content last reviewed
Disclaimer Policy: Links with this icon () mean that you are leaving the HHS website.
The Department of Health and Human Services (HHS) cannot guarantee the accuracy of a non-federal website.
Linking to a non-federal website does not mean that HHS or its employees endorse the sponsors, information, or products presented on the website. HHS links outside of itself to provide you with further information.
You will be bound by the destination website's privacy policy and/or terms of service when you follow the link.
HHS is not responsible for Section 508 compliance (accessibility) on private websites.
For more information on HHS's web notification policies, see Website Disclaimers.