Providers

MultiCare community hospital agrees to HIPAA settlement over 'snooping' security guards

By Dave Muoio Jun 16, 2023 12:29pm
HIPAA Privacy and Security HHS Office for Civil Rights MultiCare Health System

A Washington community hospital is paying settlement fees and implementing a corrective action plan after a Department of Health and Human Services Office for Civil Rights (OCR) investigation caught numerous security guards “snooping” on patients’ electronic medical records.

Yakima Valley Memorial Hospital, part of the 12-hospital nonprofit MultiCare since January, agreed to pay $240,000 to the government and be monitored for Health Insurance Portability and Accountability Act (HIPAA) compliance for two years.

“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry,” OCR Director Melanie Fontes Rainer said in a statement from the office. “Healthcare organizations must ensure that workforce members can only access the patient information needed to do their jobs,”

OCR said it launched its investigation in May 2018 after receiving a breach notification report. The report alleged that 23 emergency department security guards “used their login credentials to access patient medical records maintained in Yakima Valley Memorial Hospital’s electronic medical record system without a job-related purpose,” OCR said.

Related

Former hospital employees plead guilty in conspiracy to sell car crash patients' info to injury attorneys, chiropractors

The guards allegedly accessed records for 419 people, which included their names, dates of birth, medical record numbers, addresses, treatment notes and insurance information, OCR said.

Yakima’s voluntary settlement—which is not an admission of guilt—also tasks the hospital with conducting a thorough risk analysis, developing and implementing a risk management plan, reviewing its vendor and third-party relationships and overhauling HIPAA-related policies and training procedures for employees. The hospital must also submit written reports to HHS outlining its progress.

“HIPAA-covered entities must have robust policies and procedures in place to ensure patient health information is protected from identity theft and fraud,” Rainer said.

In its most recent annual report to Congress, OCR said complaints of HIPAA violations had increased by 39% from 2017 to 2021.

HIPAA Privacy and Security HHS Office for Civil Rights MultiCare Health System Department of Health and Human Services (HHS) Health Tech Hospitals Regulatory