Snooping on Medical Records by Hospital Security Guards Leads to $240,000 HIPAA Settlement


Washington’s Yakima Valley Memorial Hospital resolves violation affecting 419 people

Today, the U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) announced an agreement with Yakima Valley Memorial Hospital, a non-profit community hospital located in Yakima, Washington, resolving an investigation under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). OCR is investigating allegations that several security guards at Yakima Valley Memorial Hospital were given inadmissible access to the medical records of 419 people. HIPAA is a federal law that protects the privacy and security of protected health information. The HIPAA Privacy, Security, and Breach Notification Rules apply to most healthcare organizations and set forth requirements that HIPAA regulated entities must follow to protect the privacy and security of health information. To voluntarily resolve the matter, Yakima Valley Memorial Hospital agreed to pay $240,000 and implement a plan to update its policies and procedures to safeguard PHI and train members of its workforce to prevent this type of snooping behavior in future.

Data breaches caused by current and former workforce members gaining unlawful access to patient records are a recurring problem in the healthcare industry. Healthcare organizations must ensure that members of the workforce have access only to the patient information they need to do their jobs, said OCR director Melanie Fontes Rainer. Entities covered by HIPAA must have robust policies and procedures in place to ensure that patient health information is protected from identity theft and fraud.

In May 2018, OCR launched an investigation into Yakima Valley Memorial Hospital following the receipt of a breach notification report, which alleged that 23 security guards who worked in the hospital’s emergency department used their credentials login to access patient records maintained at Yakima Valley Memorial Hospital Electronic Health Care. registration system without a work-related purpose. The information accessed included names, dates of birth, medical record numbers, addresses, some treatment notes, and insurance information.


As a result of the settlement agreement, Yakima Valley Memorial Hospital will be monitored for two years by OCR to ensure compliance with the HIPAA safety rule. Yakima Valley Memorial Hospital has agreed to take the following steps to make its organization HIPAA compliant:

  • Conduct a thorough and thorough risk analysis to determine the risks and vulnerabilities of electronic protected health information;
  • Develop and implement a risk management plan to address and mitigate identified security risks and vulnerabilities identified in risk analysis;
  • Develop, maintain, and review, as necessary, its written HIPAA policies and procedures;
  • Enhance existing HIPAA and security training program to provide workforce training on updated HIPAA policies and procedures;
  • Review all relationships with vendors and third-party service providers to identify business associates and obtain business associate agreements with business associates if not already in place.

The termination agreement and corrective action plan can be found at:

OCR is committed to enforcing HIPAA rules that protect the privacy and security of people’s health information. If you believe that you or another person has violated health information privacy or civil rights, you can file a complaint with OCR at

#Snooping #Medical #Records #Hospital #Security #Guards #Leads #HIPAA #Settlement

Leave a Reply

Your email address will not be published. Required fields are marked *


You May Also Like