Post Date: March 7, 2017            Topics: HIPAA

A hospital system agreed to a $5.5 million settlement with the Office for Civil Rights (OCR) for the U.S. Department of Health and Human Services (HHS) for potential HIPAA violations. The hospital system reported to OCR that the protected health information (PHI) of over 115,000 individuals had been impermissibly accessed by its employees and disclosed to staff at affiliated physician practices. One former employee’s login credentials were used to access the PHI of 80,000 patients over a year-long period. According to OCR’s investigation, the hospital system failed to implement procedures to review records of EHR activity (such as audit logs, access reports, and security incident tracking reports) and failed to implement policies and procedures to review, modify or terminate user’s access rights.

Read the press release and resolution agreement.