Executive Summary  

A recent Health and Human Services Office for Civil Rights (OCR) settlement with a hospital provides a reminder that only those employees whose jobs require access to Protected Health Information (PHI) should be permitted to gain access to it. Security guards were able to access PHI protected by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements in a clear breach of HIPAA protocols. The breach led to a $240,000 fine for the hospital. The case involves a medical facility rather than an employer medical plan. However, it offers a cautionary reminder to employers that maintain self-funded plans (since fully insured plans typically do not have access to PHI) regarding HIPAA privacy: the only people who have access to PHI must be those that need that access for the administration of the plan, and the employer must adopt the appropriate physical and electronic security measures to ensure that PHI is not improperly accessed.  

HIPAA Settlement

The OCR recently announced a settlement with Yakima Valley Memorial Hospital, a not-for-profit community hospital, regarding an allegation of violating HIPAA privacy requirements. OCR reported that it had investigated allegations that several security guards from Yakima Valley Memorial Hospital impermissibly accessed the medical records of 419 individuals. In May 2018, OCR initiated an investigation of the hospital following the receipt of a breach notification report stating that 23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.

HIPAA is intended to protect the privacy and security of protected health information. HIPAA requires covered entities to report breaches of the HIPAA privacy requirements to OCR. That appears to be what brought this case to the attention of OCR. Self-funded employer plans are also covered entities (fully insured medical plans can also be covered entities, but their compliance with HIPAA is typically the insurance carrier’s responsibility). If they discover breaches, they are also obligated to report them. While employers are not, themselves, covered entities under HIPAA, the distinction makes little difference as the employers are typically the plan administrators responsible for their plans’ HIPAA requirements. The circumstances here are not unlike those of many employers and their group medical plans.

To voluntarily resolve the matter, the hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its workforce members to prevent this type of snooping behavior in the future. OCR noted that “[d]ata breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs.” “HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud.”

As part of the settlement, the hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. In addition, the hospital has agreed to take the following steps to bring their organization into compliance with the HIPAA Rules:

• Conduct an accurate and thorough risk analysis to determine the risks and vulnerabilities of electronic protected health information 
• Develop and implement a risk management plan to address and mitigate the identified security risks and vulnerabilities identified in the risk analysis
• Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures
• Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures
• Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place

The hospital did not, apparently, have sufficient training for those individuals who had the necessary access to PHI, nor did it maintain the appropriate level of electronic security measures to avoid non-essential persons gaining access to PHI. Similar requirements are imposed on self-funded employer medical plans. All plans should have a set of written HIPAA policies and procedures, including appropriate physical and electronic security measures to avoid inadvertent access to PHI by persons who are not “designated employees” who need such access in the administration of the plan and have been properly trained in the plan’s HIPAA protocols.  

Conclusion 

All covered entities, including employer-sponsored medical plans, should periodically review their HIPAA privacy practices and procedures. In addition, they need to periodically ascertain that no person other than designated employees has access to the plan’s PHI via the adoption of appropriate physical and electronic security measures and have their workforces trained on those policies and procedures.