HIPAA Update: Florida Health System Pays $5.5 Million for HIPAA Violations

Memorial Healthcare System (MHS), a Florida non-profit organization that operates numerous hospitals and healthcare facilities, has paid $5.5 Million to the federal Department of Health & Human Services (HHS) to settle allegations of federal HIPAA law violations. MHS reported to HHS that protected health information of over 115,000 individuals had been illicitly accessed by MHS employees and disclosed to affiliated physician office staffs. Specifically, the login credentials of a former employee of an affiliated physician’s office had been used to access electronic protected health information (ePHI) maintained by MHS from April 2011 to April 2012. The ePHI contained names, birth dates, social security numbers and other confidential information. MHS failed to implement procedures for reviewing, modifying and terminating users’ right of access, in violation of HIPAA. Further, MHS did not regularly review information system activity on applications that store ePHI.

The Acting Director of the HHS Office for Civil Rights stated in response to the violations, “Access to ePHI must be provided only to authorized users, including affiliated physician office staff… Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks.”