Privacy & Information Security Law Blog

On February 16, 2017, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) entered into a resolution agreement with Memorial Healthcare System (“Memorial”) that emphasized the importance of audit controls in preventing breaches of protected health information (“PHI”). The $5.5 million settlement with Memorial is the fourth enforcement action taken by OCR in 2017, and matches the largest civil monetary ever imposed against a single covered entity.

In April 2012, Memorial submitted a breach report to OCR indicating that it had suffered a breach involving impermissible access to PHI by employees. Memorial supplemented that report three months later, indicating that it had discovered additional impermissible access that resulted in a total of 115,000 affected patients. The PHI involved consisted of patients’ names, dates of birth and Social Security numbers. OCR investigated Memorial and found that the entity had committed several HIPAA violations by (1) impermissibly disclosing PHI in violation of the Privacy Rule, (2) failing to implement procedures to regularly review records of information system activity such as audit logs and (3) failing to implement policies and procedures to review and modify users’ access to PHI.

The resolution agreement requires Memorial to pay $5.5 million to OCR and enter into a Corrective Action Plan that obligates Memorial to:

• conduct a risk analysis and implement a risk management plan;
• revise its policies and procedures regarding information systems activity review and access establishment, modification and termination;
• distribute the revised policies and procedures to its workforce members;
• submit a plan to OCR to internally monitor its compliance with the Corrective Action Plan;
• select and engage an independent third-party assessor to review the entity’s compliance with the Corrective Action Plan;
• report any events of noncompliance with its HIPAA policies and procedures; and
• submit annual compliance reports for a period of three years.

In announcing the settlement with Memorial, OCR Acting Director Robinsue Frohboese stated that “organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

In connection with the Memorial settlement, OCR also linked to its recent guidance on audit trails. The guidance discusses three types of audit trails: (1) application audit trails, (2) system-level audit trails and (3) user audit trails, and encourages covered entities and business associates to “consider which audit tools may best help them with reducing non-useful information contained in audit records, as well as with extracting useful information.”