An employee who is fired can steal data and ruin your reputation long after they leave if their computer access is not terminated right away. A HIPAA Risk Analysis can help prevent this costly mistake.
Municipal Departments are Not Immune to HIPAA Enforcement
The City of New Haven Health Department in Connecticut paid the Office for Civil Rights (OCR) which enforces HIPAA, $202,400 to settle an investigation into HIPAA violations after the data breach was discovered.
A former employee of the City of New Haven Health Department returned to the department eight days after being let go, logged into her old computer with her still-active user name and password, and downloaded onto a thumb drive protected health information (PHI) that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results. In its investigation the Office for Civil Rights (OCR) also found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated. At least 498 patient files may have been accessed.
HIPAA Risk Analysis Missing
Among the problems OCR found were that the City of New Haven Health Department failed:
- to conduct an enterprise-wide risk analysis;
- to implement termination procedures and access controls such as unique user identification; and
- to implement HIPAA Privacy Rule policies and procedures.
OCR Director Roger Severino commented on the New Haven settlement,
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”
In addition to the monetary settlement, the City of New Haven Health Department agreed to a two-year Corrective Action Plan.
HIPAA Privacy and Security Rules Both Matter
Although the City of New Haven was called out for failing to have HIPAA Privacy Rule policies and procedures, they also clearly did not have adequate policies for the Security Rule. Employee access to electronic records, and appropriate password and login procedures come from the Security Rule.
A Thorough Risk Analysis Uncovers Gaps
A complete HIPAA Risk Analysis will reveal weaknesses like those at the City of New Haven Health Department. The security rule checklist in The HIPAA E-Tool® Risk Analysis section ensures that user access rules are in place, user identification is strict, and password protection is strong, among other procedures.
All the required policies for the Privacy, Security and Breach Notification Rules are included, with step-by-step guidance on how to complete a full HIPAA Risk Analysis.
Don’t be surprised by a fired employee returning to steal patient data. You can prevent this mistake with good plans and strong compliance.
Photo by Soumil Kamar from Pexels