Pagosa Springs Medical Center Pays $111,400 for HIPAA Violations

PSMC failed to terminate a former employee’s access to the hospital’s web-based scheduling calendar.
Published: December 23, 2018

Pagosa Springs Medical Center (PSMC) in Colorado, has agreed to pay $111,400 to the Office for Civil Rights (OCR) and to adopt a substantial corrective action plan to settle potential HIPAA violations.

The settlement resolves a complaint alleging that a former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected health information (ePHI), after separation of employment.

PSMC is a critical access hospital, that at the time of OCR’s investigation, provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.

OCR’s investigation revealed that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.

——Article Continues Below——

Get the latest industry news and research delivered directly to your inbox.

Google, the vendor named in the resolution agreement and PSMC did not have the required business associate agreement in place, according to Search Health IT.

“The fact that Google missed it here, as well as Pagosa, is pretty distressing,” said Kate Borten, a HIPAA and health information privacy and security expert.

Borten outlined two major factors that healthcare CIOs should take away from this event:

  1. Use HIPAA settlements as a proactive tool

“Management, whether it’s CIOs, CISOs, somebody needs to be designated to be on that mailing list to read those cases like this one,” she said. “They can be used as a way to check and educate your own organization.”

2. Develop clear policies that outline responsibility

“It’s that manager or financial director’s responsibility to say, ‘Remember, you have to tell me as soon as any of your employees are terminated, any employee who has access to our systems,'” Borten said. “That is not necessarily the norm today anywhere. And I think that’s a big gap.”

Under the two-year corrective action plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its staff regarding the updates.

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino.  “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series
Strategy & Planning Series