![]() Yakima Valley Memorial Hospital chose to settle the case with OCR and agreed to pay a financial penalty of $240,000 with no admission of liability. The security guards were able to view protected health information such as names, addresses, dates of birth, medical record numbers, certain notes related to treatment, and insurance information. OCR determined that the hospital had failed to implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule – 45 C.F.R. 23 security guards had used their login credentials to access medical records in the hospital’s electronic medical record system when there was no legitimate reason for the access. OCR launched an investigation into the snooping incident in May 2018 and discovered widespread snooping on medical records by security guards in the hospital’s emergency department. ![]() The hospital discovered security guards had been accessing the medical records of patients when there was no legitimate work reason for the medical record access, and 419 medical records had been impermissibly viewed. ![]() OCR’s latest HIPAA enforcement action confirms that it is not the scale of a data breach that determines if a financial penalty must be paid but the severity of the underlying HIPAA violations.Ī relatively small data breach was reported to OCR on February 28, 2018, by Yakima Valley Memorial Hospital (formerly Virginia Mason Memorial), a 222-bed non-profit community hospital in Washington state. The HHS’ Office for Civil Rights (OCR) investigates all reported breaches of the protected health information of 500 or more individuals and some smaller breaches to determine if the breach was caused by the failure to comply with the HIPAA Rules. Make sure you are Omnibus Rule Compliant: HIPAA Privacy Checklist.Washington Hospital Pays $240,000 HIPAA Penalty After Security Guards Access Medical Records Means protected health information that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology specified by the Secretary in the guidance issued under section 13402(h)(2) of Pub. (iv) The extent to which the risk to the protected health information has been mitigated. (iii) Whether the protected health information was actually acquired or viewed and (ii) The unauthorized person who used the protected health information or to whom the disclosure was made (i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification ![]() (2) Except as provided in paragraph (1) of this definition, an acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors: (iii) A disclosure of protected health information where a covered entity or business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to retain such information. ![]() (ii) Any inadvertent disclosure by a person who is authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associate, or organized health care arrangement in which the covered entity participates, and the information received as a result of such disclosure is not further used or disclosed in a manner not permitted under subpart E of this part. (i) Any unintentional acquisition, access, or use of protected health information by a workforce member or person acting under the authority of a covered entity or a business associate, if such acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. Means the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information. Receive a FREE copy of the HIPAA Survival Guide (4th Edition) when you Sign-Up for our Newsletter.Īs used in this subpart, the following terms have the following meanings:. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |