Colorado hospital to pay $111K HIPAA settlement

Pagosa Springs (Colo.) Medical Center has agreed to pay $111,400 to the HHS Office for Civil Rights and adopt a corrective action plan to settle allegations that it failed to terminate a former employee's access to protected health information held online.

The settlement resolves a complaint alleging that a former employee of Pagosa Springs Medical Center continued to have remote access to the critical access hospital's web-based scheduling calendar, which contained patients' protected health information.

The civil rights office's investigation determined that, as a result of this continued access, Pagosa Springs Medical Center disclosed health information of 557 patients to the former employee. The office also found that the hospital had disclosed this patient data to the scheduling calendar vendor without a business associate agreement, as required by HIPAA.

Under the two-year corrective action plan, Pagosa Springs Medical Center has agreed to update its security management and business associate agreement, among other policies.

"It's common sense that former employees should immediately lose access to protected patient information upon their separation from employment," OCR Director Roger Severino said. "This case underscores the need for covered entities to always be aware of who has access to their [electronic protected health information] and who doesn't."

To download Pagosa Springs Medical Center's resolution agreement and corrective action plan, click here.

More articles on cybersecurity:
9 healthcare privacy incidents in November
HIPAA changes needed, according to health IT trade groups
41K+ patients warned of possible data breach after Cancer Centers of America phishing attack

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months