The HIPAA breach by two dozen guards at Yakima Valley Memorial Hospital affected 419 patients.
A community hospital in Washington state will pay $240,000 to resolve patient records breaches by snooping security guards, the federal government says.
Not-for-profit Yakima Valley Memorial Hospital agreed to the settlement for the self-disclosed violations of the Health Insurance Portability and Accountability (HIPAA) in 2018, the Department of Health and Human Services Office of Civil Rights announced this week.
"Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry," says OCR Director Melanie Fontes Rainer.
"Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud," she says.
MultiCare Health System, the Tacoma-based, 12-hospital system that bought the 226-bed Yakima Valley Memorial and its two dozen clinics in January, issued a brief statement acknowleding the settlment but noted that the breaches occurred in 2016 and 2017, long before MultiCare owned the hospital.
According to OCR, following the self-disclosure of the violation in May 2018, the ensuing investigation determined that "23 security guards working in the hospital’s emergency department used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose."
The personal information of the 419 patients identified in the breach included names, dates of birth, medical record numbers, addresses, treatment notes, and insurance information, OCR says.
In addition to the fine, OCR will monitor Yakima Valley Memorial for two years to ensure HIPAA compliance and will also:
- Conduct a risk analysis to determine risks and vulnerabilities to electronic protected health information;
- Implement a risk management plan to address and mitigate identified security risks and vulnerabilities;
- Develop, maintain, and revise its written HIPAA policies and procedures;
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies;
- Review all relationships with vendors and obtain business associate agreements.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry.”
Melanie Fontes Rainer, director, HHS-OCR
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.
The OCR investigation found that 23 ER security guards used their login credentials to access patient medical records.
The personal information of 419 patients identified in the breach included names, dates of birth, medical record numbers, addresses and treatment notes.
MultiCare Health System acknowledged the settlment but noted that the breaches occurred in 2016 and 2017, long before MultiCare acquired Yakima Valley Memorial.