Today, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with BayCare Health System (BayCare), a Florida healthcare provider, concerning several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement resolves an OCR investigation based on a complaint received concerning impermissible access to the complainant’s electronic protected health information (ePHI). OCR initiated the investigation following its receipt of a complaint in October 2018, in which the complainant alleged that after receiving treatment at a BayCare facility, she was contacted by an unknown individual who had photographs of her printed medical records, as well as a video of someone scrolling through her medical records on a computer screen. The investigation determined that the credentials used to access the complainant’s medical record belonged to a non-clinical former staff member of a physician’s practice, which had access to BayCare’s electronic medical records for the continuity of common patients’ care. OCR’s investigation found BayCare potentially violated multiple HIPAA Security Rule requirements.