Memorial Healthcare System (MHS) faced serious scrutiny over patient privacy and data security after the login credentials of a former employee of an affiliated physician’s office was used to access ePHI on a daily basis, affecting the patient privacy of 80,000 individuals. The incident resulted in a record $5.5 million HIPAA settlement to the U.S Department of Health and Human Services and an agreement to implement a corrective action plan.
Memorial Healthcare System (MHS) is a long-time leader in providing high-quality healthcare services to South Florida residents. Today, it is one of the largest public healthcare systems in the nation and highly regarded for its exceptional patient- and family-centered care and its focus on patient privacy. Memorial’s patient, physician and employee satisfaction rates are some of the highest in the country, and the system is recognized as a national leader in quality healthcare.
Patient privacy has always been a priority to MHS, but in 2012, the organization detected that patient data had been accessed by a former employee of a third-party entity – compromising the patient privacy of 80,000 individuals. MHS notified the Office of Civil Rights (OCR) and immediately began a journey to create world-class privacy for its patients’ data. Last year, the security incident resulted in a $5.5 million fine and a three-year corrective action plan.
With the help of partners like FairWarning, MHS has transformed their program into patient privacy excellence. MHS chose the FairWarning Patient Privacy Platform and Managed Privacy Services, leveraging FairWarning’s expert team of HIPAA compliance, security and product analysts to minimize its risk profile and improve its compliance posture. Today, MHS secures patient data with world-class privacy monitoring systems, extensive training programs and a robust “just do” culture of compliance.
Richard Leon, Chief Information Security Officer at Memorial Healthcare explains how he transformed his program to secure MHS, which is comprised of over 13,000 employees, 1,800 beds, and 2,500 physicians across six hospitals and ancillary health facilities.
“We needed a new approach to privacy investigation technology, privacy and security policies and workforce education that would ensure complete PHI access transparency.” Richard said.
In this webinar, Rich discusses the privacy challenges that come with a growing health system. MHS’s existing enterprise-wide privacy policies created an influx of data without the resources and expertise to properly investigate each incident. MHS was dealing with more than 10 patient record access alerts per week. Further challenges included ensuring Epic Care Connect access compliance for affiliated healthcare providers and ACO affiliate patient privacy adherence.
Richard explained, “Tracking access to our integrated Epic EHR by employed and affiliated physicians, as well as outside case reviewers and third parties, was essential, and we knew it would require more than just looking at logs for true cross-system transparency.”
Patient Privacy Excellence with FairWarning and Memorial Healthcare
As the first step in the MHS privacy and security journey, Richard developed a multipronged strategy framework that was built on the foundation of administrative policy controls and awareness training.
“FairWarning provided the data to understand workflows, pinpoint workforce data access and privacy challenges, and guide training,” said Richard.
With a true understanding of end-user behaviors and process modifications, Richard and his team developed training campaigns and videos to provide education and collaboration for privacy and security.
In addition, MHS began to see real results from the FairWarning platform and associated policies. The health system now gets detailed reporting when PHI information is accessed and printed, as well as reasons behind who, what, and why. Richard explains that FairWarning has reduced the snooping alerts from one a day to one a week. He also explains the benefits of a 90% reduction in false positives with FairWarning.
“The 90% reduction in false positive alerts through the use of FairWarning’s Managed Privacy Services have saved us the time equivalent of two more FTEs to handle the past quantity of false alerts.”
The Q&A portion of this webinar will likely amaze you, with answers to some of the industry’s most pressing questions with transparent and honest insight.
This webinar provides an opportunity to learn how FairWarning provides a foundation for privacy and security and partners with organizations to design a roadmap for proactively mitigating risks and continually developing a culture dedicated to patient privacy excellence.
Chief Information Security Officer
Memorial Healthcare System
Kurt J. Long
CEO and Founder