Home 5 Lab Industry Advisor 5 Essential 5 HIPAA ePHI Violation Costs Colorado Hospital $111,400

HIPAA ePHI Violation Costs Colorado Hospital $111,400

by | Feb 15, 2019 | Essential, HIPAA-nir, Labs in Court-nir, National Lab Reporter

Case: This case began when the Office of Civil Rights (OCR) received a complaint contending that an ex-employee of Pagosa Springs Medical Center (PSMC) still had remote access to the critical access hospital’s web-based scheduling calendar containing electronic PHI of 557 patients. OCR investigators confirmed the allegation and found that the ex-employee had accessed the calendar on at least 2 occasions since leaving PSMC. To make matters worse, PSMC got the calendar from Google without having it sign a business associate agreement (BAA) (at the time, Google Calendar wasn’t a HIPAA compliant” service the way it is today). In addition to the $111,400 fine, the settlement requires PSMC to sign an onerous 2-year Corrective Action Plan with OCR agreeing to overhaul its information security management, BAA and employee training systems. Significance:  The moral of this case is to ensure that your lab: Immediately terminates employees’ access to ePHI when they leave your company or remain but no longer require access to do their jobs; and Enters into a BAA with vendors before disclosing your ePHI to them.

Case: This case began when the Office of Civil Rights (OCR) received a complaint contending that an ex-employee of Pagosa Springs Medical Center (PSMC) still had remote access to the critical access hospital’s web-based scheduling calendar containing electronic PHI of 557 patients. OCR investigators confirmed the allegation and found that the ex-employee had accessed the calendar on at least 2 occasions since leaving PSMC. To make matters worse, PSMC got the calendar from Google without having it sign a business associate agreement (BAA) (at the time, Google Calendar wasn’t a HIPAA compliant” service the way it is today). In addition to the $111,400 fine, the settlement requires PSMC to sign an onerous 2-year Corrective Action Plan with OCR agreeing to overhaul its information security management, BAA and employee training systems.

Significance:  The moral of this case is to ensure that your lab:

  • Immediately terminates employees’ access to ePHI when they leave your company or remain but no longer require access to do their jobs; and
  • Enters into a BAA with vendors before disclosing your ePHI to them.

Subscribe to view Essential

Start a Free Trial for immediate access to this article