Yakima Valley Memorial Hospital reached a settlement with the Office for Civil Rights of the U.S. Department of Health and Human Services following an investigation under the Health Insurance Portability and Accountability Act of 1996.
OCR looked into claims that a number of security guards working at Yakima Valley Memorial Hospital, a not-for-profit community hospital in Yakima, Wash., had illegal access to the medical records of 419 people, according to a June 15 news release.
“Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs,” OCR Director Melanie Fontes Rainer said in the release. “HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud."
HIPAA safeguards the confidentiality and security of protected health information, the release reported. The HIPAA Privacy, Security and Breach Notification Rules govern how the privacy and security of health information is protected and are applicable to the majority of healthcare businesses.
Yakima Valley Memorial Hospital agreed to pay $240,000 and develop a plan to improve its policies and procedures to preserve protected health information as well as teach its staff members to avoid future instances of this type of snooping conduct as part of a voluntary settlement of the dispute, the release said.
Following the receipt of a breach notification report in May 2018, OCR opened an investigation into Yakima Valley Memorial Hospital after learning 23 security guards working in the emergency room had improperly used their login information to access patient medical records kept in the hospital's electronic medical record system. Names, birth dates, medical record numbers, residences, some treatment-related notes and insurance information were among the data accessed, according to the release.
As a result of the settlement agreement, OCR will monitor Yakima Valley Memorial Hospital for two years to make sure the HIPAA security rule is being followed, the release said.
To bring their business into conformity with the HIPAA rule, Yakima Valley Memorial Hospital will carry out a precise and comprehensive risk analysis to identify the threats and weaknesses to electronic protected health information; address and reduce identified security risks and vulnerabilities found in the risk analysis; develop and implement a risk management plan; create, maintain and update its documented HIPAA policies and procedures as appropriate; improve its current HIPAA and security training program to train staff on the most recent HIPAA policies and procedures, the release reported.
