[BreachExchange] OCR Fines Colorado Provider $111, 000 for HIPAA Violations

[Destry Winant]

https://healthitsecurity.com/news/ocr-fines-colorado-provider-111000-for-hipaa-violations

The Department of Health and Human Services’ Office for Civil Rights
fined Pagosa Springs Medical Center $111,400, for failing to terminate
a former employee’s access to electronic protected health information,
after the employment ended.

Accordint to officials, the employee continued to have remote access
to PSMC’s scheduling calendar, which contained the ePHI of 557
patients. The employee accessed the calendar on two separate
occasions, two months apart.

Not only that, the investigation found PSMC failed to secure a
business associate agreement with Google, its web-based, scheduling
calendar vendor.

Under the settlement, PSMC must follow a two-year corrective action
plan. Officials said the provider must update its security management
and business associate agreement, along with its policies and
procedures. PCMC will also need to train its workforce on these new
policies.

Specifically, the agreement noted that PSMC must designate an
individual responsible for ensuring all third-party vendors that
handle patient data enter into a business associate agreement, while
creating a process to assess current and future vendors to determine
what is considered a business associate under HIPAA.

“It’s commonsense that former employees should immediately lose access
to protected patient information upon their separation from
employment,” OCR Director Roger Severino said in a statement.  “This
case underscores the need for covered entities to always be aware of
who has access to their ePHI and who doesn’t.”

Under HIPAA, covered entities must secure a business associate
agreement with all vendors that interact with patient data. Further,
organizations should lean on identity access management to determine
who has access to the data and when, while working with the human
resource department to ensure employee access is revoked after
employment is terminated.

Severino has reiterated that HIPAA enforcement will increase at OCR,
under his tenure. This is the second OCR settlement related to a lack
of business associate agreement in the last month.

Florida-based Advanced Care Hospitalists settled with OCR on December
4, for contracting and operating with a billing vendor – without
confirming the vendor’s identity or obtaining a business associate
agreement.

And a week prior to that settlement, OCR fined Allergy Associates of
Hartford $125,000, for a 2015 incident involving the impermissible
disclosure of patient data to a reporter.