BreachExchange mailing list archives
OCR Fines Colorado Provider $111, 000 for HIPAA Violations
From: Destry Winant <destry () riskbasedsecurity com>
Date: Wed, 12 Dec 2018 06:44:14 -0600
https://healthitsecurity.com/news/ocr-fines-colorado-provider-111000-for-hipaa-violations The Department of Health and Human Services’ Office for Civil Rights fined Pagosa Springs Medical Center $111,400, for failing to terminate a former employee’s access to electronic protected health information, after the employment ended. Accordint to officials, the employee continued to have remote access to PSMC’s scheduling calendar, which contained the ePHI of 557 patients. The employee accessed the calendar on two separate occasions, two months apart. Not only that, the investigation found PSMC failed to secure a business associate agreement with Google, its web-based, scheduling calendar vendor. Under the settlement, PSMC must follow a two-year corrective action plan. Officials said the provider must update its security management and business associate agreement, along with its policies and procedures. PCMC will also need to train its workforce on these new policies. Specifically, the agreement noted that PSMC must designate an individual responsible for ensuring all third-party vendors that handle patient data enter into a business associate agreement, while creating a process to assess current and future vendors to determine what is considered a business associate under HIPAA. “It’s commonsense that former employees should immediately lose access to protected patient information upon their separation from employment,” OCR Director Roger Severino said in a statement. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” Under HIPAA, covered entities must secure a business associate agreement with all vendors that interact with patient data. Further, organizations should lean on identity access management to determine who has access to the data and when, while working with the human resource department to ensure employee access is revoked after employment is terminated. Severino has reiterated that HIPAA enforcement will increase at OCR, under his tenure. This is the second OCR settlement related to a lack of business associate agreement in the last month. Florida-based Advanced Care Hospitalists settled with OCR on December 4, for contracting and operating with a billing vendor – without confirming the vendor’s identity or obtaining a business associate agreement. And a week prior to that settlement, OCR fined Allergy Associates of Hartford $125,000, for a 2015 incident involving the impermissible disclosure of patient data to a reporter. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- OCR Fines Colorado Provider $111, 000 for HIPAA Violations Destry Winant (Dec 12)