Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) for an alleged violation of HIPAA. OCR found that the company failed to deactivate a former employee’s access to a web-based calendar that contained the protected health information (PHI) of 557 patients. The company also failed to obtain a business associate agreement (BAA) with the calendar company (Google).
Under the 2-year resolution agreement, PSMC agreed to:
- revise their policies and procedures around business associate relationships;
- revise its policies and procedures about the use and disclosure of PHI to make sure that employees can identify what might be impermissible uses of PHI and know how and when to report issues to the privacy and/or security officer;
- develop a risk analysis of security risks and vulnerabilities;
- create new training materials and re-train all workforce members who use or disclose PHI within 60-daysm repeat this training annually, and train all new hires within 15-days of hire; and
- revise their procedures around notifying HHS of reportable events in the future.
According to the press release: “It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
Also of Interest Regarding HIPAA
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the International Privacy + Security Forum (Apr. 3-5, 2019 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.