When a hospital worker accessed patient information post-employment, HIPAA regulators hit the former employer with a $111,400 fine.
Administrators at Pagosa Springs Medical Center (PSMC), located in Southwest Colorado, thought their relationship with the employee was finished when the desk was cleared and the badge was returned.
Username and Password Management
Little did PSMC know that access to electronic protected health information (ePHI), in the form of a Google Calendar account, continued after the employee walked out the door.
The hospital had failed to deactivate the former employee’s Google Calendar username and password. The former employee continued to access the web-based calendar over the course of several months, leading to the impermissible disclosure of 557 patient records.
Google Calendar Access
Google Calendar was used by PSMC to schedule patient appointments.
During its investigation, the Office for Civil Rights also discovered the hospital had failed to obtain a signed Business Associate Agreement with Google.
A Business Associate Agreement is an important legal contract required by all non-clinical service providers who have access to patient records. It details how the ePHI will be maintained and managed.
In addition to the fine, PSMC is required to implement a corrective action plan.
Business Associate Agreement Failure
Does your business have a plan to protect patient information after an employee or contractor is terminated? What do your Business Associate Agreements look like?