Adriana Acuña
Information Privacy Law
Professor: Ira Rubinstein
February 21st, 2017
Major HIPAA settlement of $5.5 million
On February 16th, 2017, Memorial Healthcare Systems, a Florida based company, and the Department of Health and Human Services’ Office for Civil Rights (“OCR”), reached a settlement in light of probable
Health Insurance Portability and Accountability Act (“HIPAA” or the “Act”) violations. As part of the settlement, Memorial Healthcare Systems has agreed to pay $5.5 million and to implement a corrective
action plan.
This case originated in 2012, when the company discovered a breach regarding their patients’ electronic Protected Health Information (“ePHI”). Specifically, it involved employees who inappropriately accessed
such information in order to gain some money by filing phony tax return. The modus operandi of the employees was to use a legitimate login credential to access the information. As soon as Memorial
Healthcare Systems knew of this, the company proceeded to make the proper report to OCR.
It was established that a total of 115,143 patients’ information was accessed, including names, birthdates and Social Security numbers. Although Memorial Healthcare Systems indeed had procedures to secure
the access of ePHI, the company did not comply with further procedures to review, modify and terminate users’ access rights to ePHI, especially in those cases where authorization was no longer granted.
Kerting Baldwin, a Memorial Healthcare Systems’ spokeswoman, asserted that the company has made several changes in their internal procedures to secure the access of ePHI. As part of these efforts, the company also contracted with an independent technology firm and with IBM, in order to implement a better system to ultimately safeguard the patients’ confidential information.
This is just one of multiple settlement cases where a breach of ePHI is involved. It is clear that Memorial Healthcare Systems initially had good intentions in securing ePHI’s access. However, simple good intentions with general protective measures are not enough. In this technological era, covered entities (as defined by HIPAA) have to follow all provision of the Act in order to avoid any potential liability.
Furthermore, covered entities should go one step further and adopt, what I call, a “prevention system”, instead of a “remedial system”. This means that covered entities should not wait until there is a HIPAA violation to act and implement corrective actions, in other words, just to seek a remedy for the wrong that already occurred. Covered entities should instead seek to implement all measures possible in advance to safeguard the patients’ information and prevent any breach. It is true that there might be several obstacles to implement a prevention system, such as how to ensure the control over the employees.
However, I believe this could be addressed by the agency theory, where a fiduciary duty is owed. In sum, covered entities should use all best efforts to provide procedure that secure patients’ information. This ultimately will not only benefit the patients, but also the covered entities, as they might avoid severe financial penalties.
Links:
[1] http://www.hipaajournal.com/ocr-record-hipaa-settlement-memorial-healthcare-system-8695/
[2] https://www.nytimes.com/aponline/2017/02/18/us/ap-us-stolen-patient-information.html
[3] http://www.sun-sentinel.com/local/broward/fl-reg-memorial-hippa-settlement-20170217-story.html