BayCare Health System agreed to pay $800,000 and implement stricter security measures after the HHS Office for Civil Rights found it failed to properly protect patient electronic health information.
The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached an $800,000 settlement with Florida-based BayCare Health System over several potential violations of the HIPAA Security Rule. The settlement follows a complaint from a patient who alleged impermissible access to her electronic protected health information (ePHI) after receiving treatment at a BayCare facility. The complainant reported being contacted by an unknown individual who shared photos of her printed medical records and a video showing someone scrolling through her records on a computer screen.
OCR launched an investigation in October 2018, which revealed that the credentials used to access the complainant’s records belonged to a non-clinical former employee of a physician’s practice affiliated with BayCare. This practice had continued access to BayCare’s electronic medical records system for the sake of patient care continuity. However, the investigation found BayCare failed to properly implement safeguards that would restrict such access to only those necessary for job functions.
BayCare was found to be potentially non-compliant with multiple HIPAA Security Rule requirements, including:
“In an era of hacking and ransomware attacks, HIPAA regulated entities still need to ensure that workforce members and other users with access to an electronic medical record only have access to the health information necessary for them to perform their jobs,” said OCR Acting Director Anthony Archeval in an HHS press release. “Allowing unrestricted access to patient health information can create an attractive target for a malicious insider.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
An insider threat refers to the risk posed by someone within an organization, such as an employee, contractor, or former staff member, who has authorized access to sensitive information but misuses that access intentionally or accidentally.
ePHI refers to any protected health information that is created, stored, transmitted, or received electronically, such as digital medical records, lab results, and patient billing data.
Auditing helps detect and investigate unauthorized access or suspicious activity, ensuring that only authorized personnel view or modify sensitive health data.