Colorado hospital to pay $111K HIPAA settlement

Jessica Kim Cohen -

Pagosa Springs (Colo.) Medical Center has agreed to pay $111,400 to the HHS Office for Civil Rights and adopt a corrective action plan to settle allegations that it failed to terminate a former employee's access to protected health information held online.

The settlement resolves a complaint alleging that a former employee of Pagosa Springs Medical Center continued to have remote access to the critical access hospital's web-based scheduling calendar, which contained patients' protected health information.

The civil rights office's investigation determined that, as a result of this continued access, Pagosa Springs Medical Center disclosed health information of 557 patients to the former employee. The office also found that the hospital had disclosed this patient data to the scheduling calendar vendor without a business associate agreement, as required by HIPAA.

Under the two-year corrective action plan, Pagosa Springs Medical Center has agreed to update its security management and business associate agreement, among other policies.

"It's common sense that former employees should immediately lose access to protected patient information upon their separation from employment," OCR Director Roger Severino said. "This case underscores the need for covered entities to always be aware of who has access to their [electronic protected health information] and who doesn't."

To download Pagosa Springs Medical Center's resolution agreement and corrective action plan, click here.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.