HHS Office for Civil Rights Settles HIPAA Security Rule Investigation with a Florida Health Care Provider

Settlement Resolves Investigation into Potential Security Rule Failures Exploited by Malicious Insider

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BayCare Health System (BayCare), a Florida health care provider, concerning several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation based on a complaint received concerning impermissible access to the complainant’s electronic protected health information (ePHI).

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers) and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Security Rule establishes national standards to protect and secure our health care system by requiring administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.

“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”

OCR initiated the investigation following its receipt of a complaint in October 2018, in which the complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen. The investigation determined that the credentials used to access the complainant’s medical record belonged to a non-clinical former staff member of a physician’s practice, which had access to BayCare’s electronic medical records for the continuity of common patients’ care.

OCR’s investigation found BayCare potentially violated multiple HIPAA Security Rule requirements, including:

• Failing to implement policies and procedures for authorizing access to ePHI that are consistent with the applicable requirements of the HIPAA Privacy Rule,
• Failing to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level, and
• Failure to regularly review records of information system activity.

Under the terms of the settlement, BayCare agreed to implement a corrective action plan that OCR will monitor for two years, and paid OCR $800,000. Under the corrective action plan, BayCare will take steps to resolve its potential violations of the HIPAA Security Rule, and to protect the privacy and security of ePHI, including:

• Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
• Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
• Revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
• Training its workforce that has access to ePHI on its HIPAA policies and procedures.

OCR recommends that health care providers, health plans, health care clearinghouses, and business associates that are covered by HIPAA take the following steps to protect ePHI:

• Identify where ePHI is located in the organization, including how ePHI enters, flows through, and leaves the organization’s information systems.
• Integrate risk analysis and risk management into the organization’s business processes.
• Ensure that audit controls are in place to record and examine information system activity.
• Implement regular reviews of information system activity.
• Utilize mechanisms to authenticate information to ensure only authorized users are accessing ePHI.
• Encrypt ePHI in transit and at rest to guard against unauthorized access to ePHI when appropriate.
• Incorporate lessons learned from incidents into the organization’s overall security management process.
• Provide workforce members with regular HIPAA training that is specific to the organization and to the workforce members’ respective job duties.

The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-baycare-agreement.pdf

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule along with additional information about controlling access to ePHI can be found on OCR’s website.
If you believe that your or another person’s health information privacy or civil rights have been violated, you can file a complaint with OCR at https://www.hhs.gov/ocr/complaints/index.html.

Follow HHS OCR on X at @HHSOCR.