Why would security guards working in an emergency department (ED) ever need access to a hospital’s electronic health record (EHR) system?

That’s perhaps the first question to ask in light of a nearly quarter-million payment a nonprofit Washington state hospital recently made to the HHS Office for Civil Rights (OCR). The agency alleged that nearly two dozen guards for what was then named Virginia Mason Hospital were caught “snooping” around in approximately 400 ED patient records ”without a job-related purpose.”^[1]

Unfortunately, officials for the system that in January acquired the hospital—now called MultiCare Yakima Memorial Hospital—wouldn’t tell RPP why the guards had access or provide any other information about what happened, except to say the guards were vendors and their employment was terminated.

However, a news report from 2017 said the snooping was found during a “routine audit,” and a hospital official contended access happened out of “boredom.”^[2] He also said there was no way to segregate data to shut off protected health information (PHI) the guards didn’t need.

Now that boredom has proved costly. In addition to implementing a two-year corrective action plan (CAP) with myriad requirement—including instituting access controls—Yakima agreed to pay OCR $240,000. The settlement was the costliest of three OCR announced in June. Future issues of RPP will explore those other agreements, which address disclosure of PHI in response to a negative online review and via an unsecured server.