Yakima Valley Memorial Hospital (YV) in Washington settled with the Office of Civil Rights (OCR) after OCR's investigation alleged that several YV security guards impermissibly accessed 419 individuals' medical records. Interestingly, the settlement only details that YV potentially violated the requirement to "...implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of the Security Rule..."
The settlement includes a two-year corrective action plan (CAP) that includes YV agreeing to:
conduct a risk analyis
develop and implement a risk management plan
develop and promulgate policies and procedures to its workforce
review business associate contracts, and
provide an annual report to OCR
We cannot help but wonder what else wasn't good with YV, to include so many CAP requirements, if all that was missing or non-compliant was policies and procedures. Regardless, we empathize with the remainder of the YV staff that was trying to be compliant and with the patients affected. Click the link to read the HHS announcement.
Stay (HIPAA) safe, Alan -