When Policies and Procedures Are Just Not Enough: Memorial Healthcare System Settlement

Alexander Thompson
Associate Editor
Loyola University Chicago School of Law, JD 2018


On February 16, 2017, the HHS Office of Civil Rights Acting Director, Robinsue Frohboese, announced the second largest HIPAA settlement fine ever. At $5.50 million, Memorial Healthcare System’s fine was just behind the $5.55 million given to Advocate Healthcare in 2016. Memorial Healthcare System (“MHS”) was found to be in violation of both the HIPAA Privacy and Security Rules as current employees were using the login credentials of former employees to access a massive quantity of patient records. This violation occurred due to a lack of controls put in place to terminate users’ right of access to ePHI once they left MHS.

The Situation

In April, 2012, MHS reported to HHS Office of Civil Rights (“OCR”) that current MHS employers inappropriately accessed the Protected Health Information (“PHI”) of approximately 115,000 patients. Furthermore, the employees exacerbated the violation by impermissibly disclosing the patient information to physician office staff affiliated with MHS. The PHI obtained by the employees included: names, dates of birth, and social security numbers. Current employees continually used the login credentials of a former employee to gain access to patient information every day from April 2011 to April 2012.

MHS did have policies and procedures in places to restrict employees access to patient information. However, OCR determined that compliance with the policies and procedures was not monitored with respect to reviewing, modifying and/or terminating users’ right of access to electronic PHI (“ePHI”), as required by HIPAA.  Furthermore, OCR discovered that MHS ignored several risk analyses conducted between 2007 and 2012. These risk analyses identified that MHS needed to regularly review records of information system activity on applications (such as the Electronic Medical Record that houses patient data) that maintain ePHI by users affiliated with MHS.

OCR’s Acting Director, Robinsue Frohboese, stated that “access to ePHI must be provided only to authorized users, including affiliated physician office staff” and that “organizations must implement audit controls and review logs regularly.” Frohboese went on to say that “as this case shows, a lack of access controls and regular review of audit logs helped hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen.”

The Solution

Acting Director Frohboese touched on a number of issues that can plague a compliance program. The main issue that Acting Director Frohboese commented was that policies and procedures are a great foundation for all compliance programs. However, if the other six essential elements of a compliance program (have a compliance officer, auditing and monitoring, training employees, compliance hotline, discipline, and timely response to suspect non-compliance) are not a part of the compliance program as well, then the policies and procedures are just words on paper. Policies and procedures need to be audited and monitored on a regular basis to ensure compliance. Furthermore, policies and procedures that have been found to be particularly risky (by a risk analysis) need to be audited and monitored even more frequently.

MHS implemented new technologies to attempt to detect breaches before they get to the magnitude seen here. This is according to a MHS spokesperson who said that MHS “implemented new, sophisticated technologies designed to monitor use and access of patient data, further restricted access to protect patient information, and enacted new policies and procedures to enhance password security.” While MHS has taken responsibility for the breach and has taken steps to rectify the situation, this scenario serves as a very stark reminder to compliance professionals around the United States: audit and monitor your policies and procedures to ensure compliance, don’t just allow your entities policies and procedures to be words on paper.