The Basic FactsMHS operates the fourth largest public healthcare system in the United States. In addition to its own services, it participates in an Organized Health Care Arrangement (“OHCA”), affiliating itself with a network of physician offices. In an OHCA, covered entities allow employees from affiliated physician practices to access EHR records and cross serve patients. These types of arrangements increase availability of healthcare and can improve patient access. As part of fulfilling its standard breach reporting obligations in 2012, MHS submitted a breach report to the OCR regarding inappropriate access to patient records by two employees. Three months later, MHS filed an update to the breach report, stating that in addition to the original two users, twelve more users from affiliated physician offices also inappropriately accessed patient ePHI. All told, an estimated 105,646 individuals had their ePHI inappropriately accessed. At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI. During the course of the OCR’s investigation, it was discovered that some of these inappropriate disclosures resulted in federal criminal charges stemming from the selling of ePHI and fraudulent tax returns.
Settlement Agreement SynopsisThe settlement agreement and corrective action plan represent the first truly robust enforcement action against a company for failure to implement user access audit controls. The settlement agreement noted a pattern of disregard for the monitoring and auditing of user access over the course of five years, despite several risk analyses identifying this very issue. In reviewing the totality of the breaches, including the federal charges and fraudulently filed tax returns, OCR levied a $5.5million fine. Given the size of this fine, there is a clear signal that audit controls will likely become a focus of OCR moving forward. With the recent round of OCR audits, it stands to reason that poor audit controls led to increased awareness of this issue.
TakeawaysWhile settlement agreements often bring nuanced issues to light, the MHS settlement sets a clear tone by identifying three key aspects of a HIPAA compliance program:
- Implement and audit established policies and procedures;
- User access controls must be timely, verifiable, and robust; and
- After a risk analysis is completed, corrective action must occur.
- When a user is terminated or resigns, what is the process to terminate access?
- Do we have the ability to “break the glass” and immediately freeze a user’s access?
- Can we review an audit of a user’s access and see what they viewed and when?
- Do we have the ability to limit a user’s access to only those records that they need to see?
- If a user accesses a record that they do not need to see, can our system alert us?