Another HIPAA Breach, Another 6-Figure HIPAA Settlement

Murtha Cullina

A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information.  OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access.  Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement.  There are two main takeaways here.

First, with the New Year around the corner, it would be a great time to reexamine your HIPAA policies and procedures.   OCR makes clear that it does not take a breach of protected health information in order to be subject to an enforcement action.  Rather, OCR’s Director states that:  “Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. “ Therefore, all organizations must ensure that they have proper procedures and safeguards in place for when employees leave.

Second, covered entities must have business associate agreements in place with all organizations, even web-based platforms, which will maintain, use or disclose electronic protected health information.  As a prophylactic measure in the new year, we recommend conducting an audit of your organization’s vendor agreements, examining (1) whether the vendor maintains, uses or discloses protected health information and (2) if so, whether there a compliant business associate agreement in place.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Murtha Cullina | Attorney Advertising

Written by:

Murtha Cullina

Murtha Cullina on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.