In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote access to Pagosa Springs Medical Center’s web-based scheduling calendar for two months after the employee’s termination, which resulted in 557 individuals’ electronic protected health information (ePHI) being improperly disclosed. Additionally, there was no business associate agreement between Pagosa Springs Medical Center and Google, the web-based scheduling calendar vendor. Pagosa Springs Medical Center, an 11-bed critical access hospital located in rural Colorado, paid $111,400 and entered into a two-year corrective action plan. The corrective action plan includes updates to Pagosa Springs Medical Center’s HIPAA security management, business associate agreement, and policies and procedures, as well as training its workforce in these areas.

Notably, OCR Director Roger Severino stated, “It’s common sense that former employees should immediately lose access to protected health information upon their separation from employment, and this case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Although this may seem like common sense, implementing and maintaining a process for provisioning workforce access to information systems that contain ePHI requires continuous vigilance by the covered entity.

The HIPAA Security Rule requires a covered entity to implement workforce security policies and procedures to ensure that all workforce members have appropriate access to ePHI, and to prevent those workforce members who do not have access privileges from obtaining access to ePHI. A covered entity should have a clearly defined policy and procedure with assigned responsibility for human resources, managers, and IT Security to manage workforce access to information systems containing ePHI at all stages of the provisioning process from requesting initial access, to modification and termination of access. IT Security should process requests only upon completion of an access request form initiated by the appropriate manager and approved by the security officer or designee.  Upon notice of termination of the workforce member’s employment, it is the manager’s responsibility to communicate the termination to the human resources department and the security officer, who can then act to remove the workforce member’s access on the individual’s last day of work. The covered entity should have a similar process for provisioning business associates’ access, including contractual obligations to timely notify the covered entity of a business associate’s workforce termination, so that the covered entity may act. The covered entity should train and educate managers on their responsibilities in this area and hold managers accountable for implementing the procedures. The covered entity also should implement a process to regularly identify workforce members’ user accounts that have become inactive or passwords that have not been reset within the prescribed period and verify the need for continued access or termination of the accounts.

The provisioning of workforce access to information systems containing ePHI is “common sense,” but the actual implementation requires continuous vigilance and oversight by the covered entity to prevent unauthorized access to and disclosure of ePHI.