On February 16, 2017, the Office for Civil Rights (OCR) announced a $5.5 million settlement with South Broward Hospital District d/b/a Memorial Healthcare System (Healthcare System), to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Healthcare System is a nonprofit corporation that operates several hospitals, an urgent care center, a nursing home, and ancillary health care facilities throughout south Florida. The Healthcare System is also affiliated with physician offices through an Organized Health Care Arrangement (OHCA).
The breach had been self-reported by the Healthcare System. The electronic protected health information (ePHI) involved in the breach included names, dates of birth, and social security numbers. According to OCR, “the login credentials of a former employee of an affiliated physician’s office had been used to access the ePHI maintained by [the Healthcare System] on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.”
This settlement underscores the importance of audit controls to monitor user access, including the release of ePHI to OHCA members. Even though the Healthcare System had policies and procedures in place addressing workforce access, the OCR investigation indicated that the Healthcare System failed to implement procedures for regularly reviewing records of information system activity, such as audit logs, access reports, and security incident tracking reports. OCR explained that the Healthcare System “failed to regularly review records of information system activity on applications that maintain electronic protected health information by workforce users and users at affiliated physician practices, despite having identified this risk on several risk analyses conducted by [the Healthcare System] from 2007 to 2012.”