Snooping in Records by Security Officers Costs Yakima Valley Memorial $240K
Yakima Valley Memorial Hospital has agreed to pay $240,000 for HIPAA violations by 23 of its security officers.
Photo: zimmytws, Adobe Stock
The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced last week it had resolved its investigation of Yakima Valley Memorial Hospital’s alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Several of Yakima Valley Memorial’s security officers are believed to have impermissibly accessed the records of 419 individuals.
To voluntarily resolve this matter, the hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard protected health information and train its employees to prevent this type of snooping behavior in the future.
In May 2018, OCR initiated an investigation of Yakima Valley Memorial following the receipt of a breach notification report, stating that 23 security officers working in the hospital’s emergency department used their login credentials to access patient medical records maintained in the hospital’s electronic medical record system without a job-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, certain notes related to treatment, and insurance information.
As a result of the settlement agreement, Yakima Valley Memorial will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule. The hospital has agreed to take the following steps to bring their organization into compliance with HIPAA:
- Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information;
- Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis;
- Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures;
- Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures;
- Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.
The resolution agreement and corrective action plan may be found at: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Related Content
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!
Part of this report should have included the reasons behind the snooping and what the stolen data was used for and how widespread the intrusions were, and how long it was going on. The action taken against the security officers might also be included. (We often see reports of wrongdoing only to find that the employees were not disciplined and/or are still employed by the target institution.) Were attempts made to shift the financial burden to the agency providing the offending officers?