Pagosa Springs Medical Center Pays $111,400 for HIPAA Violations
PSMC failed to terminate a former employee’s access to the hospital’s web-based scheduling calendar.
Pagosa Springs Medical Center (PSMC) in Colorado, has agreed to pay $111,400 to the Office for Civil Rights (OCR) and to adopt a substantial corrective action plan to settle potential HIPAA violations.
The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment.
PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.
OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.
“The fact that Google missed it here, as well as Pagosa, is pretty distressing,” said Kate Borten, a HIPAA and health information privacy and security expert.
Borten outlined two major factors that healthcare CIOs should take away from this event:
- Use HIPAA settlements as a proactive tool
“Management, whether it’s CIOs, CISOs, somebody needs to be designated to be on that mailing list to read those cases like this one,” she said. “They can be used as a way to check and educate your own organization.”
2. Develop clear policies that outline responsibility
Under the two-year corrective action plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its staff regarding the updates.
“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!
Leading in Turbulent Times: Effective Campus Public Safety Leadership for the 21st Century
This new webcast will discuss how campus public safety leaders can effectively incorporate Clery Act, Title IX, customer service, “helicopter” parents, emergency notification, town-gown relationships, brand management, Greek Life, student recruitment, faculty, and more into their roles and develop the necessary skills to successfully lead their departments. Register today to attend this free webcast!