Feds fine hospital that didn’t cut data access to former employee

Pagosa Springs Medical Center in Colorado, a critical access hospital, will pay $111,400 to the HHS Office for Civil Rights.

The small provider is being hit after neglecting to terminate access to protected heath information after an employee left the practice.

A complaint sent to OCR alleged the former employee continued to have access to a web-based scheduling calendar, which resulted in the hospital the protected health information of 557 individuals being disclosed to the former employee.

Pagosa Springs Medical Center-CROP (1).jpg

The hospital also was found to not have a business associate agreement in place as part of its policies. In recent months, the federal agency has been cracking down on the need for all holders of PHI to have such agreements.

Also See: How six key strategies can mitigate business associate risk

“Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action,” the department notes. “Covered entities also must evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.”

As part of the work to improve compliance with HIPAA, Pagosa Springs Medical Center under a two-year OCR-directed corrective action plan will update its security management, business associate agreements, policies and procedures, and train its employees to do the same.

Immediate comment from the organization was not available. The resolution agreement and corrective action plan are available here.

For reprint and licensing requests for this article, click here.