Colorado Hospital pays fine after a former employee retained access to ePHI after termination.

The Pagosa Springs Medical Center (PSMC) is a Colorado critical access hospital that agreed to pay $111,400 to settle potential violations of the HIPAA Privacy and Security Rules. This hospital employed about 175 workers and provided more than 17,000 clinic and hospital visits annually. The complaint stemmed from a situation where a former employee did not have their access to PSMC’s scheduling calendar terminated when their employment ended.

This former employee was still able to remotely access the web-based service, meaning that PSMC impermissibly disclosed the electronic protected health information (ePHI) of 557 individuals over the course of the incident. The Office of Civil Rights (OCR) also discovered in the course of its investigation that there was no Business Associate Agreement (BAA) in place with the web-based scheduling calendar vendor, meaning that the ePHI was also impermissibly disclosed to the vendor.

While it is obvious that an employee should lose access to sensitive data once their employment ends, without proper documentation of procedures it may be difficult to track down every access and ensure they are resolved. Over the course of off-boarding it is not difficult to see where one application may be missed. This represents not only a security risk (what if that employee left on bad terms, yet retained access to either PHI or sensitive business information or credentials?) but a clear HIPAA violation and therefore risks enforcement action. This underscores the need to have all data repositories documented, to always know where PHI may be stored and who has access to it, and to have procedures documented on the steps to comprehensively terminate all access privileges for an individual when they leave employment. Whether your organization has high turn over and this must be done on a regular basis, or if your rarely ever lose and employee and this only comes up once or twice a year, having it documented, repeatable, and provable is a clear advantage for keeping your practice compliant and secure.

Healthcare Technology Advisors often works with our clients to improve documentation and procedures, both to improve HIPAA compliance and general workplace efficiency. Whether you’re starting from a point of compliance need or basic operational efficiency, HTA can assist with these processes and bring you up to speed.