HIPAA Case: Hospital Fined for Ex-Employee's Access to PHIEnforcement Action is the Third in Recent Weeks, Eighth This Year
In its third enforcement action in recent weeks, federal regulators have hit a Colorado medical center with a HIPAA fine in a case involving failure to terminate a former employee's remote access to patient data.
In a statement, the Department of Health and Human Services' Office for Civil Rights said Pagosa Springs Medical Center in Colorado has agreed to pay a $111,400 financial settlement and adopt a substantial corrective action plan to resolve potential HIPAA violations.
Sending a Message
Privacy attorney Iliana Peters of the law firm Polsinelli notes that in all HIPAA settlement agreements, OCR attempts to send a message to covered entities and business associates.
"HIPAA covered entities and business associates should take the messages of this case to heart, and use the case as a 'teachable moment' for their organizations."
—Iliana Peters, Polsinelli
"Here, OCR is highlighting impermissible disclosures involving electronic PHI, particularly with regard to two ways that PHI that covered entities and business associates hold may be especially vulnerable - outdated access controls and lack of business associate agreements," she says.
"The well-known threat to PHI from insiders goes up significantly when such individuals leave an entity, so revoking privileges of such individuals should be a priority for HIPAA covered entities and business associates."
Peters, who formerly worked at OCR, also stresses: "HIPAA covered entities and business associates should take the messages of this case to heart, and use the case as a 'teachable moment' for their organizations."
The settlement with PSMC, a small, critical access hospital, resolves an OCR investigation launched in 2013 into a complaint alleging that a former PSMC employee continued to have remote access to the medical center's web-based scheduling calendar, which contained patients' electronic protected health information, after leaving the staff.
OCR's investigation found that the medical center impermissibly disclosed the ePHI of hundreds of individuals to its former employee and to the web-based scheduling calendar vendor without a required business associate agreement in place.
The resolution agreement between OCR and PSMC notes that the medical center failed to de-activate the former employee's username and password following termination of employment.
In addition, PSMC impermissibly disclosed the PHI of at least 557 individuals to Google, its business associate, without obtaining satisfactory assurances from Google in the form of a written business associate agreement stating that Google would appropriately safeguard the PHI.
"It's common sense that former employees should immediately lose access to protected patient information upon their separation from employment," said OCR Director Roger Severino in the statement. "This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn't."
Corrective Action Plan
Under the two-year corrective action plan, PSMC has agreed to:
- Update its security management, including revising its policies and procedures relating to uses and disclosures of PHI;
- Revise its policies and procedures related to business associates and business associate agreements;
- Train its workforce members regarding those issues.
PSMC did not immediately respond to Information Security Media Group's request for comment on the settlement.
Inappropriate access by former employees to patient data was also at the heart of OCR's $5.5 million HIPAA settlement in 2017 with Florida-based Memorial Healthcare System, notes Peters, the attorney, who formerly was an enforcement leader at OCR.
In that case, log-in credentials of a former employee of an affiliated physician's office had been used to access the electronic PHI maintained by the healthcare system on a daily basis without detection from April 2011 to April 2012, affecting 80,000 individuals.
The settlement with PSMC is the third that OCR has announced in recent weeks, and the agency's eighth HIPAA enforcement action so far this year.
On Dec. 4, OCR announced a $500,000 HIPAA settlement and corrective action plan with Advanced Care Hospitalists, a Florida-based company that provides contracted physicians to hospitals and nursing homes. The breach case involved the lack of a business associate agreement with an individual providing billing services and the exposure of patient data on a website.
On Nov. 16, OCR announced it had signed a $125,000 settlement with Allergy Associates of Hartford a three-doctor practice in Connecticut, in a breach case involving improper disclosure of patient information to the media.
And in October, OCR signed a record $16 million settlement with Anthem in the wake of a cyberattack on the health insurer revealed in 2015 that resulted in a massive health data breach impacting nearly 79 million individuals (see: Anthem Mega Breach: Record $16 Million Settlement)
OCR's HIPAA financial settlements so far this year total more than $25.6 million.