Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million

By | February 3, 2023

The HHS’ Office for Civil Rights has announced its second financial penalty of 2023 to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Banner Health has agreed to pay a financial penalty of $1,250,000 and adopt a corrective action plan to resolve the alleged HIPAA Security Rule violations.

Phoenix, AZ-based Banner Health is one of the largest non-profit health systems in the United States. The health system includes 30 hospitals and more than 69 affiliated healthcare facilities in 6 U.S. states and employs more than 50,000 individuals.  On July 13, 2016, Banner Health detected a security breach, with the subsequent investigation confirming hackers gained access to its systems on June 17, 2016. The hackers were able to access systems containing the protected health information (PHI) of 2.81 million individuals, including names, addresses, dates of birth, Social Security numbers, claims information, lab results, medications, diagnoses, and health insurance information. After being informed about the impermissible disclosure of PHI, OCR initiated a review of HIPAA Security Rule compliance to determine if noncompliance was a contributory factor to the data breach.

OCR’s investigators determined that Banner Health had failed to conduct an accurate and thorough analysis of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI. The administrative safeguards of the HIPAA Security Rule include a requirement to conduct regular reviews of information system activity to identify unauthorized access to PHI. OCR determined that Banner Health had not implemented sufficient procedures to conduct regular reviews.

The HIPAA Security Rule requires covered entities to implement technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. Banner Health failed to implement sufficient procedures to verify the identity of persons seeking access to ePHI to ensure they are who they claim to be, and insufficient technical security measures had been implemented to protect against unauthorized access to ePHI transmitted over an electronic communications network.

OCR said its investigators found evidence of long-term, pervasive noncompliance with the HIPAA Security Rule across the Banner Health organization, which was a serious concern given the size of the covered entity, and the HIPAA violations were sufficiently severe to warrant a financial penalty. In addition to paying a financial penalty, Banner Health has agreed to adopt a corrective action plan (CAP) that includes the requirement to conduct an accurate and thorough risk analysis to determine risks and vulnerabilities to electronic patient/system data across the organization and develop a risk management plan to address any vulnerabilities identified by the risk analysis. Policies and procedures must be developed, implemented, and distributed to the workforce covering risk analyses, risk management, system activity reviews, authentication processes, and security measures to protect against unauthorized PHI access. OCR will monitor Banner Health for compliance with the CAP for 2 years.

“Hackers continue to threaten the privacy and security of patient information held by health care organizations, including our nation’s hospitals,” said OCR Director Melanie Fontes Rainer. “It is imperative that hospitals and other covered entities and business associates be vigilant in taking robust steps to protect their systems, data, and records, and this begins with understanding their risks, and taking action to prevent, respond to and combat such cyber-attacks. The Office for Civil Rights provides help and support to health care organizations to protect against cyber security threats and comply with their obligations under the HIPAA Security Rule. Cyber security is on all of us, and we must take steps to protect our health care systems from these attacks.”

The post Banner Health Settles Alleged HIPAA Security Rule Violations for $1.25 Million appeared first on HIPAA Journal.