UPDATE: On February 17, 2017,
Audit Controls Underlined in $5.5M OCR HIPAA Settlement
Memorial Healthcare Systems recently agreed to an OCR HIPAA settlement, with a lack of audit controls cited as a key factor in the decision.
Florida-based Memorial Healthcare Systems (MHS) recently agreed to a $5.5 million OCR HIPAA settlement, stemming from incidents that were reported in 2012. OCR stated that a lack of audit controls was a major factor in the determined settlement.
A PHI data breach was first reported to OCR on April 12, 2012, where MHS employees inappropriately accessed patient information, including names, dates of birth, and Social Security numbers. An additional report was sent a few months later after MHS found that further impermissible access had occurred.
In the second incident, 105,646 individuals had their information accessed. Furthermore, some information was then sold to file fraudulent tax returns.
An HHS investigation found that 80,000 individuals’ PHI was disclosed when MHS gave a former employee of an affiliated physician practice access to the data from April 1, 2011, to April 27, 2012.
Additionally, “MHS failed to implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports,” from January 1, 2011 to June 1, 2012. In that same time frame, MHS also did not implement necessary policies and procedures to “establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.”
“Further, organizations must implement audit controls and review audit logs regularly, as this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches but to prevent them before they happen.”
Per the HHS corrective action plan, MHS must complete a risk analysis and risk management plan, which includes adhering to the following:
- All identified risks and vulnerabilities identified at MHS related to enterprise-wide PHI security
- Evidence that MHS has implemented and maintains a risk management plan to address such risks and vulnerabilities or dates of expected implementation
- Evidence of implementation or evidence of efforts towards implementation of security measures or other safeguards identified in the risk management plan to address identified risk and vulnerabilities.
- MHS policies and procedures related to information system activity must also be updated. This includes the regular review of audit logs, access reports, and security incident tracking reports.
- Protocols for access to MHS’s e-PHI by affiliated physicians, their practices, and their employees also need to be revised. MHS policies and procedures related to overall risk analysis and management must be updated as well.
The updated policies and procedures need to be properly distributed to all MHS workforce members, including business associates and affiliated physician practice members.
MHS internal monitoring, external assessments, and internal reporting must also be revised, according to HHS. A key part of this is to ensure that all workforce members with ePHI access are adhering to HIPAA regulations.
Audit controls have already been a key OCR focus this year, as the agency discussed the necessity of audit controls in its January cybersecurity newsletter.
OCR explained that reviewing and securing audit trails, while also ensuring the proper tools to collect, monitor, and review those audit trails are in place are key audit control considerations for covered entities and business associates.
When determining reasonable and appropriate audit controls for information systems containing or using ePHI, Covered Entities and Business Associates must consider their risk analysis results and organizational factors, such as their current technical infrastructure, hardware, and software security capabilities, OCR wrote in a newsletter.