HIPAA Privacy & Security Updates—From Dorothy Cociu, COIN Editor and HIPAA Privacy & Security Consultant & Trainer, March 2019
I only have one HIPAA Privacy & Security enforcement action to report this issue.
On December 11, 2018, HHS/OCR announced that a Colorado hospital, Pagosa Springs Medical Center (PSMC), agreed to pay $111,400 to the Office of Civil Rights (OCR) at the US Department of Health & Human Services and adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy & Security Rules. PSMC is a critical access hospital that at the time of the OCR investigation, provided more than 17,000 hospital and clinic visits annually and employs more than 175 individuals.
The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment. OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA-required business associate agreement in place.
Under the two-year corrective action plan, PSMC has agreed to update its security management and business associate agreements, update policies and procedures, and train it’s workforce members regarding the same.
Covered entities that do not have or follow procedures to terminate information-access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that BA Agreements are in place with all business associates before disclosing PHI.
In the next issue, I will address new California Privacy Laws going into effect in 2020, if space permits.
##
