An overlooked HIPAA requirement recently cost Memorial Healthcare Systems $5 million. What was their costly HIPAA violation? The requirement to periodically review your computer network’s system logs—implementing audit controls and reviewing your audit logs regularly. Without reviewing these logs, you are not going to be able to identify if your system has been compromised.
In the case of MHS, failure to regularly review their system logs meant they weren’t aware that a former employee login was used to access patient information—including names, dates of birth, and social security numbers—on a daily basis for more than a year, affecting 80,000 individuals. Even though MHS had employee access policies and procedures in place, their failure to regularly review their computer network’s logs meant that ongoing inappropriate access to patient information went undetected.
According to an HHS press release on Feb. 16, 2017, “Access to ePHI must be provided only to authorized users, including affiliated physician office staff” said Robinsue Frohboese, Acting Director, HHS Office for Civil Rights. “Further, organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”
This is another strong message to covered entities that OCR takes HIPAA violations and the exposure of patients’ protected health information very seriously. Suffering a financial penalty of this size can be gravely detrimental to your health care network or practice. Ensure that you are HIPPA compliant by attending our free webinar, “What you don’t know about this HIPAA Requirement Could Cost You $5 Million” with nationally renowned HIPAA expert Roger Shindell. He will also guide you through our free HIPAA Diagnostic® and explain how our services will help keep you on the road to HIPAA compliance.