Clearwater, Fla.-based BayCare Health System has agreed to pay $800,000 to HHS’ Office for Civil Rights and implement a corrective action plan as part of a settlement concerning alleged HIPAA violations.
The settlement stems from a HHS investigation into a complaint alleging impermissible access to an individual’s electronic protected health information.
In October 2018, a woman filed a complaint alleging that, after receiving treatment at a BayCare facility, she was contacted by an unknown individual who possessed photographs of her printed medical records and a video showing someone scrolling through her records on a computer screen. HHS determined that the credentials used to access her records belonged to a non-clinical former employee of a physician practice that had access to BayCare’s electronic medical records for the continuity of common patients’ care.
HHS’ investigation found that BayCare potentially violated several provisions of the HIPAA Security Rule, including:
- Failure to implement access controls aligned with the HIPAA Privacy Rule for authorizing access to ePHI;
- Failure to adequately assess and mitigate risks and vulnerabilities to ePHI; and
- Failure to conduct regular reviews of information system activity to detect unauthorized access.
Under the corrective action plan, which HHS will monitor for two years, BayCare agreed to take steps to resolve its potential HIPAA violations and to protect the privacy and security of ePHI, including:
- Conducting a risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity and availability of its ePHI;
- Implementing a risk management plan to address security risks and vulnerabilities identified in its risk analysis;
- Revising written policies and procedures to comply with the HIPAA rules; and
- Training its workforce that has access to ePHI on its HIPAA policies and procedures.
In a May 28 statement provided to Becker’s, a BayCare spokesperson said the health system “takes patient privacy very seriously” and has “cooperated fully” with HHS’ investigation.
