In $5.5 Million HIPAA Settlement, HHS Cites Faulty Security Audit Controls

The Department of Health and Human Services (HHS) announced a $5.5 million settlement with a public health care system, and covered entity under the Health Insurance Portability and Accountability Act (HIPAA), to address potential HIPAA violations involving the disclosure of individuals' protected health information.

Practical Law Employee Benefits & Executive Compensation

On February 16, 2017, HHS announced a $5.5 million settlement with a nonprofit, Florida-based public health care system, which includes several hospitals, a nursing home, and related health care facilities, for potential HIPAA violations (see HIPAA Toolkit ( ). HHS's investigation occurred after the health care system, a HIPAA covered entity, provided HHS with an initial breach notification and an addendum breach report concerning improper access to patients' protected health information (PHI) (see Practice Notes, HIPAA Breach Notification Rules for Group Health Plans ( and HIPAA Enforcement and Group Health Plans: Penalties and Investigations ( ).


Scope of Alleged Violations

In April 2012, the covered entity informed the government, via HIPAA breach notification, that two of its employees had improperly accessed patient information (including the patients' names, dates of birth, and social security numbers). In a follow-on report submitted to HHS a few months later (and after an internal investigation), the covered entity indicated that:

  • 12 users had gained impermissible access to information at physician offices affiliated with the health care system.

  • More than 105,500 individuals were potentially affected by the improper access.

According to HHS, these incidents resulted in federal charges involving the sale of PHI and the filing of fraudulent tax returns.

Following its own investigation, HHS concluded that the covered entity violated the HIPAA Privacy Rule by:


Corrective Action Plan

In addition to the $5.5 million payment, the covered entity must adhere to a corrective action plan (CAP) that includes:

  • Completion of a risk analysis of enterprise-wide risks to the security of PHI, along with:

    • implementation of a risk management plan to address these risks; and

    • evidence that appropriate security measures and safeguards identified in the risk management plan are being implemented.

  • Revisions to the covered entity's policies and procedures governing:

    • the establishment, modification, and termination of access (including protocols for access by affiliated physicians, their practices, and employees);

    • information system activity to provide for the regular review of audit logs, access reports, and security incident tracking reports; and

    • compliance with the HIPAA Security Rule standards for security management processes (including to prevent, detect, contain, and correct security violations).

  • Submission of the covered entity's revised policies and procedures to HHS for its approval, followed by adoption and distribution of the policies and procedures to the covered entity's workforce members (and including the workforce members of the covered entity's HIPAA business associates; see Standard Document, HIPAA Business Associate Agreement ( ).

  • Internal monitoring of the covered entity's compliance with the CAP.

  • Review of the covered entity's CAP compliance by an objective and independent third-party assessor (a requirement that includes a lengthy list of numerous subparts, such as unannounced site visits to the covered entity's various facilities by the assessor).

  • A six-year document retention rule regarding all records related to the covered entity's compliance with the CAP.


Practical Impact: Audit Controls

This latest HHS settlement caught our eye because it involves an aspect of HIPAA compliance for covered entities – specifically, audit controls under the HIPAA Security Rule – that has not received as much attention in recent settlements as other parts of the HIPAA rules. However, given the size of the payment here and the scope of the CAP requirements (which the government characterized as "robust"), it is clear that HHS wants covered entities to focus more closely on audit controls under the Security Rule (see Practice Note, HIPAA Security Rule ( ).

In a newsletter issued last month, HHS offered greater detail regarding the audit controls (for example, regularly monitoring and logging user activities) that might have prevented the impermissible access to PHI by former employees that resulted in this settlement. The newsletter includes several examples of audit trails and emphasizes the importance of these trails in maintaining a record of system activity and preventing breaches from occurring.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248450393021", "objName" : "ACT_OWNED - READ_ONLY - w-006-4705", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-34f33658:15b1d3e4922:f09", "analyticsSessionCookie" : "2-34f33658:15b1d3e4922:f0a", "statisticSensorPath" : "" }