The Pagosa Springs Medical Center (PSMC) in Colorado has been forced to settle a HIPAA violation with the Office for Civil Rights (OCR).
A fine of $111,400 was administered by the OCR as recompense for PSMC’s failure to terminate a former employee’s access to patients’ Protected Health Information (PHI).
After leaving employment with PSMC, the former employee was still able to remotely access information contained within a web-based calendar. The ePHI of 557 patients was inadvertently exposed to the former employee before the breach was discovered and corrected.
During the investigation, the OCR also discovered the web-based calendar vendor did not have a business associate agreement with PSMC.
In addition to settling on paying the fine of $111,400, PSMC has also been ordered to undergo a corrective action plan with a duration of 2 years. This corrective action plan will entail updating PSMC security management policies and practices, as well as re-training the Center’s 175 employees on these updated policies. Additionally, PSMC will be required to update the business associate agreement and ensure it is in place with all third-party vendors.
“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” OCR Director Roger Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
Sometimes, even a lack of action can create substantial legal issues. Especially when protected health information is concerned. Simply being familiar with HIPAA compliance can help to avoid paying thousands of dollars in hefty fines and years spent under intense scrutiny.
Visit HIPAAgps to learn more about HIPAA compliance and what you can do to protect your business from unexpected breaches.
Recent Comments