Failure to terminate access of departing employee leads to HIPAA penalty

Bricker Graydon LLP
Contact

Bricker & Eckler LLP

A critical access hospital in Colorado will pay $114,000 in a settlement with the Office of Civil Rights (OCR) stemming from the failure to terminate a former employee’s access to a hospital database containing protected health information (PHI).

OCR recently announced the settlement with Pagosa Springs Medical Center. OCR’s investigation found that a former employee of the hospital continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ PHI even after separation of employment, allowing the former employee access to the PHI of 557 individuals. Additionally, the investigation found that the hospital did not have a business associate agreement in place with the web-based scheduling calendar vendor.

In a prior enforcement action, a health system paid $5.5 million to settle alleged HIPAA violations when the login credentials of a former employee of an affiliate were used to access a database containing PHI on a regular basis without detection for a year.   

HIPAA requires covered entities to have workforce security policies in place regarding the right of access to PHI. Specifically, covered entities must implement procedures “for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends.” Keep in mind, as the Pagosa Springs Medical Center case shows, these policies should not be limited to termination of access to the covered entity’s EHR but, rather, any and all systems or databases that include PHI.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bricker Graydon LLP | Attorney Advertising

Written by:

Bricker Graydon LLP
Contact
more
less

Bricker Graydon LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide