security guard caught snooping cartoon

Hospital Security Guards Snooping on Medical Records Causes $240,000 HIPAA Settlement

Hospital Security Guards Snooping on Medical Records Causes $240,000 HIPAA Settlement


The breach affected more than 419 people, so Yakima Valley Memorial Hospital in Washington settles major fine after OCR investigation.


Security Guards

What Happened? The Situation

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated claims that several security guards from the hospital impermissibly accessed the medical records of 419 individuals.

The investigation began in May 2018 after the OCR received a breach notification report about Yakima Valley Memorial Hospital.

  • An alleged 23 security guards employed in the hospital's emergency department inappropriately used their login credentials to access medical records in the organization's electronic medical record (EMR) system.
  • These security guards had unauthorized access to protected health information (PHI) including names, birth dates, medical records numbers, mailing addresses, treatment notes, and even insurance information.
  • Impermissibly accessing protected health information (PHI) is a severe HIPAA violation, especially when access is without a job-related purpose.


Prying Eyes Have No Secrets (Nor Security)

The OCR determined Yakima Valley Memorial Hospital (a nonprofit community hospital in Yakima, Washington) violated the Health Insurance Portability and Accountability Act (HIPAA) which protects the privacy and security of protected health information.

"Data breaches caused by current and former workforce members impermissibly accessing patient records are a recurring issue across the healthcare industry. Health care organizations must ensure that workforce members can only access the patient information needed to do their jobs. HIPAA covered entities must have robust policies and procedures in place to ensure patient health information is protected from identify theft and fraud."
- OCR Director Melanie Fontes Rainer.

In response to the investigation, Yakima Valley Memorial Hospital agreed to pay $240,000 and update its policies and procedures to safeguard protected health information. They also agreed to incorporate enhanced training for their workforce on HIPAA policies and procedures, as well as engaging with vendors and third-party service providers to ensure full compliance moving forward.


Summary of the Resolution Agreement and Corrective Action Plan

In addition to the settlement fine, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA Security Rule.

The details outlined in the resolution agreement produced by the OCR reveals that Yakima Valley Memorial Hospital has agreed to take the following corrective actions to bring their organization into compliance with the HIPAA Rules:

Security Risk Analysis (SRA)

"Conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic protected health information (ePHI)."

Risk Management Program

"Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in the risk analysis."

HIPAA Policies and Procedures

"Develop, maintain, and revise, as necessary, its written HIPAA policies and procedures."

HIPAA Privacy and Security Workforce Training

"Enhance its existing HIPAA and Security Training Program to provide workforce training on the updated HIPAA policies and procedures."

Business Associate Agreements (BAAs)

"Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place."

You can read the resolution agreement and corrective action plan in full here: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/yakima-ra-cap/index.html

As the HHS's enforcement agency of HIPAA Privacy and Security Rules about PHI, remember that the OCR is legally obligated to investigate all complaints filed on OCR's website by individuals who feel that their health privacy or civil rights have been violated.

Doctors in a office

Need help with HIPAA Compliance?

Get in touch with an HCP Compliance Advisor today. Discover how to achieve true protection through an effective HIPAA Compliance Program.