- The Department of Health and Human Services’ Office for Civil Rights settled with Pagosa Springs Medical Center for $111,400, for failing to terminate a former employee’s access to electronic protected health information after the employment ended.
According to officials, the employee continued to have remote access to PSMC’s scheduling calendar, which contained the ePHI of 557 patients. The employee accessed the calendar on two separate occasions, two months apart.
Not only that, the investigation found PSMC failed to secure a business associate agreement with Google, its web-based, scheduling calendar vendor.
Under the settlement, PSMC must follow a two-year corrective action plan. Officials said the provider must update its security management and business associate agreement, along with its policies and procedures. PCMC will also need to train its workforce on these new policies.
Specifically, the agreement noted that PSMC must designate an individual responsible for ensuring all third-party vendors that handle patient data enter into a business associate agreement, while creating a process to assess current and future vendors to determine what is considered a business associate under HIPAA.
“It’s commonsense that former employees should immediately lose access to protected patient information upon their separation from employment,” OCR Director Roger Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
Under HIPAA, covered entities must secure a business associate agreement with all vendors that interact with patient data. Further, organizations should lean on identity access management to determine who has access to the data and when, while working with the human resource department to ensure employee access is revoked after employment is terminated.
Severino has reiterated that HIPAA enforcement will increase at OCR, under his tenure. This is the second OCR settlement related to a lack of business associate agreement in the last month.
Florida-based Advanced Care Hospitalists settled with OCR on December 4, for contracting and operating with a billing vendor – without confirming the vendor’s identity or obtaining a business associate agreement.
And a week prior to that settlement, OCR settled with Allergy Associates of Hartford $125,000, for a 2015 incident involving the impermissible disclosure of patient data to a reporter.