$5.5 million HIPAA settlement highlights importance of audit controls
The U.S. Department of Health and Human Services (HHS) and a large health system agreed to a $5.5 million settlement for potential violations of the HIPAA Privacy and Security Rules and implementation of a corrective action plan. The nonprofit corporation operates six hospitals, an urgent care center, a nursing home, and a variety of ancillary health care facilities. It is also affiliated with a number of physician offices. The organization reported to HHS that the protected health information (including names, dates of birth, and social security numbers) of 115,143 individuals had been impermissibly accessed by employees and disclosed to affiliated physician office staff. While it had workforce access policies and procedures in place, HHS alleged it failed to implement adequate procedures with respect to reviewing, modifying and/or terminating users’ right of access, as required by the HIPAA Rules. Access the MGMA HIPAA Resource Center for privacy and security tools and resources.