August 14, 2020

Volume X, Number 227

August 14, 2020

Subscribe to Latest Legal News and Analysis

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

HIPAA Penalties For Failure to Cut Off Access To Former Employee

It has been a busy few weeks for HIPAA enforcement.  On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks.  In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.

This settlement derives from a complaint that a former employee of PSMC still had remote access to electronic protected health information (ePHI) even after separation from the health care entity. This occurred due to a failure in deactivating the former employee’s username and password. The former employee continued to have access to a web-based scheduling calendar, which included patients’ protected health information (PHI). Further, the OCR investigation revealed that PSMC did not have a business associate agreement (BAA) in place with the scheduling vendor, as required under HIPAA.

OCR’s investigation revealed that these violations compromised the ePHI of 557 individuals. Under the CAP, PSMC is bound to complete the following: (1) update policies and procedures (business associate relationships and uses and disclosures of PHI), (2) update security management process (risk analysis and risk management), and (3) incorporate training into the workplace for workforce members.

This settlement is a reminder to vet all vendor arrangements to determine whether a BAA is needed and also for employers to have concrete, seamless policies and procedures in place for employee departures, which include terminating all access (remote or otherwise) to all PHI and company information.

©1994-2020 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume VIII, Number 346


About this Author

Kristen A. Marotta Associate  Hospitals & Health Systems Physician Organizations

Kristen focuses her practice on health care transactions, regulatory matters, and general contracting. Her experience includes counseling clients on both investing in and exiting from the health care space, drafting compliance plans and policies, facilitating deals and conducting due diligence to assess risk, addressing employment issues for health care entities, and assisting companies with formation and reorganization.

Prior to joining Mintz, Kristen was an associate...