Three New HIPAA IT Security Policies Following security breaches discovered in 2011-2012, Memorial Healthcare System has pledged to comply with a Corrective Action Plan issued by the Office of Civil Rights. As part of this compliance, and in an effort to prevent future HIPAA violations, Memorial has implemented the following three new policies and is raising awareness with the workforce, vendors, and Business Associates. Access: System Access Establishment, Modification and Termination Policy and Procedure (PDF) Monitoring: Information System Activity Review Policy and Procedure (PDF) Risk Analysis: HIPAA Risk Analysis and HIPAA Risk Management Policy (PDF) Behind the Breach Smart Snippet: Video Datasource: Identity Theft Smart Snippet: Video Datasource: Monitoring access Smart Snippet: Video Datasource: Never share password doctor Smart Snippet: Video Datasource: Never share password nurse Smart Snippet: Video Datasource: Snooping The Incident A few years ago, Memorial discovered that individuals who worked in affiliated physicians' offices had inappropriately accessed patient information by using legitimate login credentials. True to its culture of compliance and transparency, Memorial proactively reported the findings of its internal investigation to the Department of Health and Human Services' Office of Civil Rights (OCR). Other actions included: Notifying all patients who may have been affected and providing them with free credit-monitoring. Implementing new, sophisticated technologies designed to monitor use and access of patient data. Further restricting access to protect patient information. Enacting new policies and procedures to enhance password security. Hiring IBM, a global leader in cybersecurity, to provide assessment, response, and monitoring services. IBM continues to provide cybersecurity services to Memorial today. Hiring an independent technology firm to conduct network audits and scans. The Settlement As part of a Corrective Action Plan (CAP), Memorial Healthcare System has been required to implement three new policies. The settlement places all Memorial employees, volunteers, vendors, and business associates under OCR's scrutiny. Memorial has actively distributed three new policies to raise awareness among all stakeholders. Patient Privacy is Everyone's Responsibility As part of the Memorial Healthcare System family, it is your responsibility to report any suspicious activity and to ensure you are only accessing information that you have been authorized to access. Patient information can include family history, social security number, account numbers, palm print, medical records, admission and discharge dates, and other vital and confidential data. Memorial Healthcare System has zero tolerance for snooping. No matter how well-intentioned a data search may seem, the act is considered a serious violation and can result in termination. You are an ambassador of Memorial Healthcare System's standards. As a team, the actions of one affect us all. Protecting a patient's confidential data not only demonstrates moral respect, but also builds trust. Always remember what it means to be a part of the Memorial family-to care for our patients and to work as a unified force. For more information or to report suspicious activity, please contact us at 954-265-1165 or firstname.lastname@example.org.