The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a Florida healthcare system concerning several potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule. The settlement, announced on May 28, 2025, resolves an OCR investigation following a complaint about impermissible access to an individual’s electronic protected health information (ePHI).
OCR launched the investigation after receiving a complaint in October 2018. The complainant alleged that, following treatment at one of the healthcare system’s facilities, she was contacted by an unknown individual who had photographs of her printed medical records and a video showing someone scrolling through her electronic records on a computer screen.
OCR’s investigation revealed that the credentials used to access the complainant’s medical record belonged to a non-clinical former staff member of a physician’s practice. The practice had access to the healthcare system’s electronic medical records as part of care coordination for shared patients.
OCR determined that the healthcare system potentially violated multiple provisions of the HIPAA Security Rule, including:
- Failing to implement policies and procedures to control and authorize access to ePHI, in accordance with the HIPAA Privacy Rule;
- Failing to reduce risks and vulnerabilities to ePHI to a reasonable and appropriate level; and
- Failing to regularly review records of information system activity.
As part of the settlement, the healthcare system agreed to pay $800,000 and implement a corrective action plan, which OCR will monitor for two years. The corrective actions include:
- Conducting an accurate and thorough risk analysis to determine the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its ePHI;
- Developing and implementing a risk management plan to address and mitigate security risks and vulnerabilities identified in its risk analysis;
- Revising, as necessary, its written policies and procedures to comply with the HIPAA Rules; and
- Training its workforce that has access to ePHI on its HIPAA policies and procedures.
“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
Compliance Perspective
Issue
The HIPAA Security Rule requires covered entities and business associates to implement appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI). Confidentiality, as defined under HIPAA, means that ePHI is not made available or disclosed to unauthorized individuals. Organizations must implement and enforce policies and procedures to control access to ePHI, regularly assess risks and vulnerabilities, train workforce members on their responsibilities under HIPAA, and monitor system activity to detect and respond to inappropriate access or use. Failure to do so may result in unauthorized disclosures, security incidents, or violations of the HIPAA Rules.
Discussion Points
- Review and update policies and procedures related to HIPAA compliance, especially those addressing workforce access to ePHI. Ensure there are clear protocols for granting, modifying, and terminating access based on job roles and responsibilities. Include provisions for monitoring and responding to inappropriate access attempts or incidents.
- Provide comprehensive HIPAA training to all staff who handle or have access to ePHI, with specific emphasis on access limitations, confidentiality requirements, and how to recognize and report unauthorized access. Training should be conducted at hire, at least annually, and whenever there are changes to policies or emerging risks.
- Audit regularly to review system activity, including access logs and user behavior, to detect unauthorized or inappropriate access to ePHI. Periodically audit workforce compliance with privacy and security policies and verify that users access only the information necessary to perform their job functions.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*