BLOG POST

Health Law Scan

Legal Insights and Perspectives for the Healthcare Industry

OCR Announces Settlement Agreement in PHI Breach

The US Department of Health and Human Services, Office for Civil Rights (OCR), announced a settlement agreement on June 15, 2023 with not-for-profit community hospital Yakima Valley Memorial Hospital (Yakima) related to Yakima employees’ snooping in medical records that resulted in the breach of protected health information (PHI).

On May 18, 2018, OCR conducted an investigation into Yakima following the receipt of a breach report dated February 28, 2018, assessing whether Yakima failed to implement reasonable and appropriate policies and procedures to comply with the HIPAA Security Rule. Yakima had reported that 23 security guards working in the hospital’s emergency department used their login credentials to access 419 patient medical records without a job-related purpose.

The affected PHI accessed by the hospital’s security guards included patient names, dates of birth, medical record numbers, addresses, treatment notes, and insurance information. In its statement regarding the settlement, OCR emphasized that, seeing as data breaches caused by current and former employees have become a recurring issue in healthcare, HIPAA covered entities must have policies and procedures in place to protect PHI and ensure that workforce members can only access the PHI needed to perform their duties.

On May 15, 2023, OCR and Yakima executed the settlement agreement. As part of the settlement agreement, Yakima agreed to pay a $240,000 penalty and entered into a corrective action plan (CAP) that will remain in effect for two years.

The CAP requires Yakima to undertake a series of actions to strengthen its HIPAA compliance, including, but not limited to:

  • completing an enterprisewide risk assessment;
  • developing and implementing an enterprisewide risk-management plan to address vulnerabilities identified in the risk assessment;
  • developing, maintaining, and revising its HIPAA policies and procedures, as necessary;
  • updating its HIPAA workforce training;
  • reviewing its relationship with vendors to determine if HIPAA business associate agreements need to be put in place or updated; and
  • submitting reports regarding its compliance with the CAP.

The settlement is not an admission of wrongdoing or an acknowledgment that Yakima violated HIPAA.