HIPAA Penalties For Failure to Cut Off Access To Former Employee
It has been a busy few weeks for HIPAA enforcement. On Tuesday, the Office for Civil Rights announced its third resolution of a HIPAA breach in as many weeks. In this latest matter, OCR announced that Pagosa Springs Medical Center (PSMC), a critical access hospital in Colorado, has agreed to both pay $111,400 to the Office for Civil Rights (OCR) as well as adopt a comprehensive, two-year corrective action plan (CAP) to address and settle potential HIPAA violations.
This settlement derives from a complaint that a former employee of PSMC still had remote access to electronic protected health information (ePHI) even after separation from the health care entity. This occurred due to a failure in deactivating the former employee’s username and password. The former employee continued to have access to a web-based scheduling calendar, which included patients’ protected health information (PHI). Further, the OCR investigation revealed that PSMC did not have a business associate agreement (BAA) in place with the scheduling vendor, as required under HIPAA.
OCR’s investigation revealed that these violations compromised the ePHI of 557 individuals. Under the CAP, PSMC is bound to complete the following: (1) update policies and procedures (business associate relationships and uses and disclosures of PHI), (2) update security management process (risk analysis and risk management), and (3) incorporate training into the workplace for workforce members.
This settlement is a reminder to vet all vendor arrangements to determine whether a BAA is needed and also for employers to have concrete, seamless policies and procedures in place for employee departures, which include terminating all access (remote or otherwise) to all PHI and company information.