Nosy staff who don’t understand HIPAA are an expensive risk.
Yakima Valley Memorial Hospital in Washington settled a breach that affected 419 patients caused by curious insiders. The Office for Civil Rights (OCR), the HIPAA enforcement agency, investigated allegations that security guards from the hospital’s emergency department had used their credentials to impermissibly view the medical records of patients. The hospital paid $240,000 to OCR in June, 2023 to settle the matter; the settlement agreement also included a two-year corrective action plan.
According to OCR, the guards accessed names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” said OCR Director Melanie Fontes Rainer. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud.”
In the settlement, Yakima Valley Memorial Hospital agreed to implement a variety of corrective actions, including enhancing its HIPAA training programs and reviewing relationships with vendors and third-party providers to ensure that business associate agreements are in place.
The hospital also must revise and maintain its written HIPAA policies and procedures, conduct a risk analysis to identify any vulnerabilities to electronic protected health information (PHI) and develop a risk management plan.
Insider Snooping Remains a Risk for Healthcare Entities
Although external actors still cause the majority of healthcare data breaches, internal threats remain a problem and should not be discounted, according to the Verizon 2023 Data Breach Investigations Report (the Report). For our summary of the healthcare portion, see Verizon Report Sheds Light on Data Breaches
The Report noted that in healthcare “External actors were responsible for 83% of breaches, while Internal ones account for 19%.” Some of these internal breaches were caused by accident or mistake but a troubling number were intentional.
According to the Report, the antidotes to insider breaches parallel the OCR settlement with Yakima: staff training (including cybersecurity awareness), restricting access, password management and risk analysis. Sanctions for staff who break policies are also appropriate.
Risk Analysis at Your Fingertips
A HIPAA risk analysis done the right way will uncover all the risks to patient privacy, internal and external, that are unique to your organization. Learn your risks and vulnerabilities to design a risk management plan to diminish those risks and lower the chances of a breach. You can’t buy it off the shelf. A risk management plan is unique, tailored to your specific situation. The HIPAA E-Tool® outlines exactly what you need to do and shows you how to get it done.