For the first time, the Office of Civil Rights (“OCR”) penalized a covered entity for failure to implement audit procedures to review, modify, and/or terminate users’ right of access. In the scope of the investigation, it was discovered that more than 100,000 individuals had their electronic Protected Heath Information (“ePhi”) records impermissibly disclosed.
On February 16, 2017, the Office of Civil Rights announced that it had entered into a settlement agreement with Memorial Healthcare System (“MHS”) to settle potential violations of HIPAA. The settlement agreement included a robust corrective action plan and the second largest fine levied against a covered entity to date: $5.5 million. For those keeping track, the largest fine ever levied was $5.55 million in August of 2016.
The Basic Facts
MHS operates the fourth largest public healthcare system in the United States. In addition to its own services, it participates in an Organized Health Care Arrangement (“OHCA”), affiliating itself with a network of physician offices. In an OHCA, covered entities allow employees from affiliated physician practices to access EHR records and cross serve patients. These types of arrangements increase availability of healthcare and can improve patient access.
As part of fulfilling its standard breach reporting obligations in 2012, MHS submitted a breach report to the OCR regarding inappropriate access to patient records by two employees. Three months later, MHS filed an update to the breach report, stating that in addition to the original two users, twelve more users from affiliated physician offices also inappropriately accessed patient ePHI. All told, an estimated 105,646 individuals had their ePHI inappropriately accessed.
At the root of this breach was MHS’s failure to follow its own polices and deactivate the login credentials of a former employee from an affiliated physician’s office. Over the course of roughly a year, these credentials were repeatedly used to gain access to MHS’s data systems and client ePHI. During the course of the OCR’s investigation, it was discovered that some of these inappropriate disclosures resulted in federal criminal charges stemming from the selling of ePHI and fraudulent tax returns.
Settlement Agreement Synopsis
The settlement agreement and corrective action plan represent the first truly robust enforcement action against a company for failure to implement user access audit controls. The settlement agreement noted a pattern of disregard for the monitoring and auditing of user access over the course of five years, despite several risk analyses identifying this very issue.
In reviewing the totality of the breaches, including the federal charges and fraudulently filed tax returns, OCR levied a $5.5million fine. Given the size of this fine, there is a clear signal that audit controls will likely become a focus of OCR moving forward. With the recent round of OCR audits, it stands to reason that poor audit controls led to increased awareness of this issue.
While settlement agreements often bring nuanced issues to light, the MHS settlement sets a clear tone by identifying three key aspects of a HIPAA compliance program:
- Implement and audit established policies and procedures;
- User access controls must be timely, verifiable, and robust; and
- After a risk analysis is completed, corrective action must occur.
Check with your IT and HR department today to verify whether your audit controls are sufficient. When meeting with these departments, consider using the following questions as a roadmap for discussions:
- When a user is terminated or resigns, what is the process to terminate access?
- Do we have the ability to “break the glass” and immediately freeze a user’s access?
- Can we review an audit of a user’s access and see what they viewed and when?
- Do we have the ability to limit a user’s access to only those records that they need to see?
- If a user accesses a record that they do not need to see, can our system alert us?
The answers to these questions should drive some key discussions within your organization and perhaps prompt a risk analysis to ensure the mistakes of MHS are not repeated.
/s/ HH @LegalLevity
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.