A healthcare system in south Florida has paid $5.5 million to the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act privacy and security rules, reports HHS's Office for Civil Rights (OCR). Employees "impermissibly" accessed the names, birth dates, and Social Security numbers of more than 115,000 individuals and disclosed the information to office staff. The login credentials of a former employee of an affiliated physician's office had been used to access protected health information (PHI) on a daily basis. The access was undetected over the course of a year. OCR notes that the healthcare system "failed to implement procedures with respect to reviewing, modifying, and/or terminating users' right of access, as required by the HIPAA Rules." OCR further notes that the healthcare system did not regularly review system activity despite having identified inappropriate access as a risk in the years prior to the breach. OCR has posted the Resolution Agreement and Corrective Action Plan, as well as guidance on audit controls and trails.
HRC Recommends: The HIPAA security rule specifies that covered entities and business associates must identify risks and vulnerabilities with regard to the confidentiality, integrity, and availability of their electronic PHI; determine what controls are effective in meeting each security rule implementation standard; assess the effectiveness of their current security efforts; prioritize actions; implement an action plan; monitor effectiveness; and make appropriate changes as reasonably necessary. Despite this rule, OCR audits consistently find that such risk analyses, and follow-up on their findings, do not occur or are insufficient.