You Could End Up Paying Millions for Employees’ HIPAA Violations

The U.S. Department of Health & Human Services’ Office of for Civil Rights (HHS OCR) has made it very clear that it’s the operator’s responsibility to police its own data policies—even among employees. Memorial Healthcare Systems (MHS) found that out the hard way, and now has to pay HHS $5.5 million to settle “potential violations” of HIPAA’s Privacy and Security rules, and to implement a “robust” 3-year corrective action plan and resolution agreement. HHS came down hard on the company for long-term breaches engineered by employees to facilitate identity theft and fraudulent tax returns. MHS actually brought the problem to the attention of HHS OCR, but the agency determined that MHS didn’t have sufficient processes in place to prevent such breaches to begin with; nor did it have the wherewithal to detect them in a timelier manner. The eventual accounting found that the personal information of more than 115,000 people—including names, dates of birth, and Social Security numbers-had been accessed and disclosed illegally to affiliated physician office staff. The login credentials of a former employee of an affiliated physician’s office had been used to access the records maintained by MHS daily without detection between April 2011 and April 2012. The case underscores the importance of having adequate measures to both prevent such breaches from happening, but also to audit systems containing personal health information regularly.