Failure to terminate access of departing employee leads to HIPAA penalty

A critical access hospital in Colorado will pay $114,000 in a settlement with the Office of Civil Rights (OCR) stemming from the failure to terminate a former employee’s access to a hospital database containing protected health information (PHI).

OCR recently announced the settlement with Pagosa Springs Medical Center. OCR’s investigation found that a former employee of the hospital continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ PHI even after separation of employment, allowing the former employee access to the PHI of 557 individuals. Additionally, the investigation found that the hospital did not have a business associate agreement in place with the web-based scheduling calendar vendor.

In a prior enforcement action, a health system paid $5.5 million to settle alleged HIPAA violations when the login credentials of a former employee of an affiliate were used to access a database containing PHI on a regular basis without detection for a year.   

HIPAA requires covered entities to have workforce security policies in place regarding the right of access to PHI. Specifically, covered entities must implement procedures “for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends.” Keep in mind, as the Pagosa Springs Medical Center case shows, these policies should not be limited to termination of access to the covered entity’s EHR but, rather, any and all systems or databases that include PHI.