UMass Memorial Health Care Inc. - Other Matters

UMass Memorial Health Care (UMMH) uses Epic Systems to maintain electronic health records for its MassHealth patients. The level of access for each UMMH employee depends on their role, and new employees are required to complete information security awareness training when hired before gaining access to Epic Systems. UMMH officials told us that the level of access for employees depends on their role, and that UMMH policy requires new employees to complete information security awareness training when hired and before using Epic Systems and annually thereafter.

UMMH could not provide evidence that 5 out of 25 sampled system users completed information security awareness training before gaining access to Epic Systems and did not complete information security awareness training on an annual basis after gaining access to Epic Systems.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as described in Section 164.308(a)(5)(i) of Title 45 of the Code of Federal Regulations, states, “A covered entity or business associate must . . . Implement a security awareness and training program for all members of its workforce.”

By not ensuring that all Epic Systems users at UMMH complete information security awareness training, patient health information could become compromised due to user error and/or negligence. 

The draft report alleges that UMMH “could not provide evidence that 5 out of 20 sampled system users” completed information security training prior to gaining access to Epic Systems or training on an annual basis thereafter. It is unclear to UMMH how [the Office of the State Auditor] is drawing this conclusion.

UMMH provided this information in its September 27, 2024 production. Specifically, UMMH provided evidence that all 20 sampled system users (15 employees and 5 contingent workers) received information security training and annual training thereafter. If there is additional information you believe you did not receive on this front, it has not been requested.

EOHHS agrees that UMMH must abide by HIPAA requirements, including cyber security requirements.

In its response, UMMH states that it provided evidence of information security awareness training for all 20 sampled Epic Systems users. This is not the case, as for the 5 contingent workers, UMMH only provided signed HIPAA acknowledgement statements. In a letter addressed to the Office of the State Auditor on September 27, 2024, UMMH stated, “As a result of these issues, UMMH’s Human Resources department has not been able to locate all training and orientation records for the users identified on September 12, 2024.” HIPAA mandates that all members of a covered entity’s workforce (which includes temporary, voluntary, and contingent workers) must complete a security awareness training program.