The U.S. Department of Health and Human Services, Office for Civil Rights (“OCR”) announced that Pagosa Spring Medical Center (“PSMC”), a Colorado hospital, agreed to pay $111,400 to settle allegations related to HIPAA violations stemming from the hospital’s failure to deactivate a former employee’s access to protected health information (“PHI”) and failing to have a business associate agreement (“BAA”) in place with Google.
PSMC is a critical access hospital with 11 inpatient beds, 24-hour emergency care, imaging and other outpatient services. The OCR’s investigation of PSMC was initiated by a complaint. The OCR’s investigation revealed that:
According to a report from Saul Ewing Arnstein & Lehr LLP, PSMC failed to deactivate a former employee’s user name and password, resulting in the impermissible disclosure of the PHI of more than 500 individuals to the former employee.
PSMC disclosed PHI of more than 500 individuals to its vendor Google, but PSMC did not have a BAA as required by HIPAA with Google.
In addition to the $111,400 payment, PSMC and the OCR entered into a two-year Corrective Action Plan (CAP) requiring it to:
Revise policies and procedures relating to business associates
Revise policies and procedures relating to uses and disclosures of PHI
Develop a current and comprehensive risk analysis of security vulnerabilities to submit to the OCR for review
Prepare a risk management plan based on the findings in the risk analysis
Train its workforce on the new policies and procedures required by the CAP
Prepare and submit reports to the OCR with respect to its compliance with the CAP
Covered entities and business associates must have effective HIPAA compliance programs in place which include BAA relationships and immediate termination of access to PHI when an employee is no longer employed by a covered entity or business associate.
For expert HIPAA compliance guidance for your practice or business, contact HIPAAcraticRx.