Failure to terminate access of departing employee leads to HIPAA penalty

Bricker & Eckler LLP
Contact

Bricker & Eckler LLP

A critical access hospital in Colorado will pay $114,000 in a settlement with the Office of Civil Rights (OCR) stemming from the failure to terminate a former employee’s access to a hospital database containing protected health information (PHI).

OCR recently announced the settlement with Pagosa Springs Medical Center. OCR’s investigation found that a former employee of the hospital continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ PHI even after separation of employment, allowing the former employee access to the PHI of 557 individuals. Additionally, the investigation found that the hospital did not have a business associate agreement in place with the web-based scheduling calendar vendor.

In a prior enforcement action, a health system paid $5.5 million to settle alleged HIPAA violations when the login credentials of a former employee of an affiliate were used to access a database containing PHI on a regular basis without detection for a year.   

HIPAA requires covered entities to have workforce security policies in place regarding the right of access to PHI. Specifically, covered entities must implement procedures “for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends.” Keep in mind, as the Pagosa Springs Medical Center case shows, these policies should not be limited to termination of access to the covered entity’s EHR but, rather, any and all systems or databases that include PHI.

[View source.]

Written by:

Bricker & Eckler LLP
Contact
more
less

Bricker & Eckler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.