Tuesday, February 21, 2017

Hospital Fined $5.5 Million by HHS/OCR Due to Lack of Proactive Patient Privacy Controls


A Florida hospital has paid the Department of Health and Human Services (HHS) a $5.5 million settlement for "protected health information (PHI) impermissibly accessed by employees and impermissibly disclosed to affiliated physician office staff." The resolution agreement cited a lack of audit controls as a major factor in the determined settlement.

"They failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports."
- OCR Acting Director Robinsue Frohboese

Robinsue Frohboese, OCR Acting Director, stated "access to ePHI must be provided only to authorized users, including affiliated physician office staff. Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

Learn how Veriphyr uses Structural Analytics to detect "impermissible use" of patient data in clinical and business applications by employees, contractors, and third parties.

Sources:
(a) HHS $5.5M Settlement - HHS, 2/17/2017

Popular Posts

Copyright © 2010-2017 by Veriphyr Incorporated, All Rights Reserved.

Contact us at Veriphyr.com.