Snooping in Medical Data by Hospital Safety Guards Results in $240,000 HIPAA Settlement

Yakima Valley Memorial Hospital in Washington settles breach that affected 419 folks

Right this moment, the U.S. Division of Well being and Human Providers’ Workplace for Civil Rights (OCR) introduced a settlement with Yakima Valley Memorial Hospital, a not-for-profit group hospital situated in Yakima, Washington resolving an investigation beneath the Well being Insurance coverage Portability and Accountability Act of 1996 (HIPAA).  OCR investigated allegations that a number of safety guards from Yakima Valley Memorial Hospital impermissibly accessed the medical data of 419 people.  HIPAA is a federal regulation that protects the privateness and safety of protected well being data.  The HIPAA Privateness, Safety, and Breach Notification Guidelines apply to most well being care organizations and set the necessities that HIPAA-regulated entities should observe to guard the privateness and safety of well being data.  To voluntarily resolve this matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to replace its insurance policies and procedures to safeguard protected well being data and practice its workforce members to stop this sort of snooping conduct sooner or later.

“Information breaches attributable to present and former workforce members impermissibly accessing affected person data are a recurring difficulty throughout the healthcare trade. Well being care organizations should make sure that workforce members can solely entry the affected person data wanted to do their jobs,” mentioned OCR Director Melanie Fontes Rainer. “HIPAA lined entities should have sturdy insurance policies and procedures in place to make sure affected person well being data is protected against determine theft and fraud.”

In Could 2018, OCR initiated an investigation of Yakima Valley Memorial Hospital following the receipt of a breach notification report, stating that 23 safety guards working within the hospital’s emergency division used their login credentials to entry affected person medical data maintained in Yakima Valley Memorial Hospital’s digital medical report system with no job-related objective. The data accessed included names, dates of start, medical report numbers, addresses, sure notes associated to remedy, and insurance coverage data.

On account of the settlement settlement, Yakima Valley Memorial Hospital might be monitored for 2 years by OCR to make sure compliance with the HIPAA Safety Rule. Yakima Valley Memorial Hospital has agreed to take the next steps to carry their group into compliance with the HIPAA Guidelines:

• Conduct an correct and thorough danger evaluation to find out dangers and vulnerabilities to digital protected well being data;
• Develop and implement a danger administration plan to deal with and mitigate recognized safety dangers and vulnerabilities recognized within the danger evaluation;
• Develop, keep, and revise, as crucial, its written HIPAA insurance policies and procedures;
• Improve its current HIPAA and Safety Coaching Program to offer workforce coaching on the up to date HIPAA insurance policies and procedures;
• Evaluate all relationships with distributors and third-party service suppliers to determine enterprise associates and procure enterprise affiliate agreements with enterprise associates if not already in place.

The decision settlement and corrective motion plan could also be discovered at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html

OCR is dedicated to imposing the HIPAA Guidelines that defend the privateness and safety of peoples’ well being data.  For those who consider that you simply or one other particular person’s well being data privateness or civil rights have been violated, you possibly can file a criticism with OCR at https://www.hhs.gov/ocr/complaints/index.html.