HIPAA ePHI Violation Costs Colorado Hospital $111,400

Case: This case began when the Office of Civil Rights (OCR) received a complaint contending that an ex-employee of Pagosa Springs Medical Center (PSMC) still had remote access to the critical access hospital’s web-based scheduling calendar containing electronic PHI of 557 patients. OCR investigators confirmed the allegation and found that the ex-employee had accessed the calendar on at least 2 occasions since leaving PSMC. To make matters worse, PSMC got the calendar from Google without having it sign a business associate agreement (BAA) (at the time, Google Calendar wasn’t a HIPAA compliant” service the way it is today). In addition to the $111,400 fine, the settlement requires PSMC to sign an onerous 2-year Corrective Action Plan with OCR agreeing to overhaul its information security management, BAA and employee training systems. Significance:  The moral of this case is to ensure that your lab: Immediately terminates employees’ access to ePHI when they leave your company or remain but no longer require access to do their jobs; and Enters into a BAA with vendors before disclosing your ePHI to them.