The city of New Haven, Connecticut recently agreed to pay $202,400 to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) to settle multiple HIPAA violations in connection with a 2016 incident at the city’s public health clinic. OCR announced the settlement on October 30.

In January 2017, the New Haven Health Department reported to OCR that the protected health information (PHI) of 498 patients of its clinic had been improperly accessed. Upon investigation, OCR discovered that a former employee improperly entered her old office and locked herself in, logged into her old computer using her still-active user name and password, and downloaded PHI from the computer onto a USB drive. The PHI included results of patients’ sexually transmitted disease tests.

OCR’s investigation concluded that the city had failed to conduct an enterprise-wide risk analysis, did not have proper employee termination procedures and access controls, and lacked HIPAA-compliant policies and procedures. “Medical providers need to know who in their organization can access patient data at all times,” OCR Director Roger Severino said. “When someone’s employment ends, so must their access to patient records.”

In addition to the civil monetary penalty, the city of New Haven agreed to enter into a corrective action plan with HHS, which includes two years of monitoring.