December 11, 2018- Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security rules requires all healthcare covered entities and their business associates to conduct security risk analysis of their IT infrastructure annually and with any change in process or system. As part of HIPAA rules, all covered entities and their business associates are required to have proper procedure in place to terminate any employees.

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and to adopt a substantial corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.

The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.

Under the two-year corrective action plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members regarding the same.

**Listen to EHR 2.0’s HIPAA Compliance webinar**

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.

The resolution agreement and corrective action plan may be found on the OCR website at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pagosasprings.

Interested in becoming HIPAA Compliant? Industry certified professionals at EHR 2.0 can help keep up your business posture. Contact us at 866-276-8309 or info@ehr20.com

Share this in :

Bio
Latest Posts

EHR 2.0

Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.

Latest posts by EHR 2.0 (see all)

HIPAA Complaint Process Infographic Released by HHS - July 15, 2019
New HHS Fact Sheet on Direct Liability of Business Associates under HIPAA - June 5, 2019
California Consumer Privacy Act of 2018 – Bill Text - April 4, 2019

On December 12, 2018 / Data Breach, HIPAA Business Associate, HIPAA/HITECH Compliance Assurance, HIPPA/HITECH Penalties, Risk Analysis for Meaningful Use

Colorado hospital failed to terminate former employee’s access to ePHI

EHR 2.0

Latest posts by EHR 2.0 (see all)

From our satisfied HIPAA compliance consulting customer:

From our satisfied HIPAA compliance DIY online toolkit customer:

From our satisfied MU pre-payment audit customer:

From our satisfied HIPAA compliance consulting customer:

MIPS/MACRA Security Risk Assessment Requirements for Attestation

Additional Resources

Subscribe

Follow Us!

Upcoming Events

MIPS/MACRA Security Risk Assessment Requirements for Attestation

Recent Posts