Topics
More on Compliance & Legal

Pagosa Springs Medical Center settles with OCR over hospital's failure to terminate former employee's access to PHI

A complaint said a former PSMC employee continued to have remote access to PSMC's web-based scheduling calendar even after separation of employment.

Beth Jones Sanborn, Managing Editor

Pagosa Springs Medical Center has agreed to pay $111,400 to the Office for Civil Rights and will adopt a "substantial" corrective action plan to settle a complaint that alleged HIPAA violations stemming from a former employee that had access to electronic private health information following separation of employment, according to the Department of Health and Human Services.

PSMC is a critical access hospital in Colorado. At the time of OCR's investigation, it provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.

The complaint said a former PSMC employee continued to have remote access to PSMC's web-based scheduling calendar even after separation of employment. The calendar contained patients' electronic protected health information (ePHI). An OCR investigation revealed that PSMC "impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place."

WHY IT MATTERS
Under the two-year corrective action plan, PSMC will update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

THE TREND

While ransomware and malware are top of mind as potential threats to security, many times security risks exist within the walls of a hospital as well. Everything from phishing emails to stolen laptops have given way to breaches or near-misses. Organizations that don't have or don't adhere to procedures to terminate information access privileges upon employee separation can face HIPAA enforcement action. Additionally, organizations would do well to examine vendors relationships and ensure that the needed business associate agreements are in place.

ON THE RECORD
"It's common sense that former employees should immediately lose access to protected patient information upon their separation from employment," said OCR Director Roger Severino. "This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn't."

Pagosa Springs Medical Center had not responded to a request for comment at the time of publishing.

Twitter: @BethJSanborn
Email the writer: beth.sanborn@himssmedia.com

Show All Comments