CYBERSECURITY

HIPAA ePHI Violation Costs Colorado Hospital $111,400

Case: This case began when the Office of Civil Rights (OCR) received a complaint contending that an ex-employee of Pagosa Springs Medical Center (PSMC) still had remote access to the critical access hospital’s web-based scheduling calendar containing electronic PHI of 557 patients. OCR investigators confirmed the allegation and found that the ex-employee had accessed the calendar on at least 2 occasions since leaving PSMC. To make matters worse, PSMC got the calendar from Google without having it sign a business associate agreement (BAA) (at the time, Google Calendar wasn’t a HIPAA compliant” service the way it is today). In addition to the $111,400 fine, the settlement requires PSMC to sign an onerous 2-year Corrective Action Plan with OCR agreeing to overhaul its information security management, BAA and employee training systems.

Significance:  The moral of this case is to ensure that your lab:

  • Immediately terminates employees’ access to ePHI when they leave your company or remain but no longer require access to do their jobs; and
  • Enters into a BAA with vendors before disclosing your ePHI to them.
CLOSE TO VIEW ARTICLE x

You have 2 articles left to view this month.

Your 3 Free Articles Per Month Goes Very Quickly!
Get a 3 month Premium Membership to
one of our G2 Newsletters today!

Click on one of the Newsletters below to sign up now and get unlimited access to all articles, archives, and tools for that specific newsletter!

Close

EMAIL ADDRESS


PASSWORD
EMAIL ADDRESS

FIRST NAME

LAST NAME

TITLE

COMPANY

PHONE

Try Premium Membership

(-00000g2)