The Department of Health and Human Services’ Office for Civil Rights fined Pagosa Springs Medical Center $111,400, for failing to terminate a former employee’s access to electronic protected health information, after the employment ended, according to HealthITSecurity.
According to officials, the employee continued to have remote access to PSMC’s scheduling calendar, which contained the ePHI of 557 patients. The employee accessed the calendar on two separate occasions, two months apart.
Not only that, the investigation found PSMC failed to secure a business associate agreement with Google, its web-based, scheduling calendar vendor.
Under the settlement, PSMC must pay a fine and follow a two-year corrective action plan. Officials said the provider must update its security management and business associate agreement, along with its policies and procedures. PSMC will also need to train its workforce on these new policies.
“It’s commonsense that former employees should immediately lose access to protected patient information upon their separation from employment,” OCR Director Roger Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
Under HIPAA, covered entities must secure a business associate agreement with all vendors that interact with patient data. Further, organizations should lean on identity access management to determine who has access to the data and when, while working with the human resource department to ensure employee access is revoked after employment is terminated.
Severino has reiterated that HIPAA enforcement will increase at OCR, under his tenure. This is the second OCR settlement related to a lack of business associate agreement in the last month.
For HIPAA guidance and best practices for your medical practice, contact HIPAAcraticRx.