Colorado Provider Fined $111,400 For HIPAA Violation Involving Employee Access

Colorado Provider Fined $111,400 For HIPAA Violation Involving Employee Access

Pagosa Springs Medical Center (PSMC) has agreed to pay $111,400 to the Office for Civil Rights (OCR) to settle HIPAA violations.


PSMC is a critical access hospital, that provides more than 17,000 hospital and clinic visits annually and employs more than 175 individuals. The latest settlement, discloses that the Colorado hospital failed to terminate former employee’s access to electronic protected health information (PHI)

After receiving a complaint that a former PSMC employee had remote access to the organization’s web-based scheduling calendar, which contained patient PHI, OCR determined that PSMC improperly disclosed the ePHI of 557 patients to this former employee, and did not have a business associates agreement in place with the scheduling calendar vendor.

Under the latest settlement, PSMC has agreed to pay $111,400 and follow a two-year corrective action plan for updating it’s security management, business associates agreements (BAA), administrative policies, and workforce training. OCR Director Roger Severino stressed the this settlement’s significance for covered entities and PHI access:

“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.


What Does This Violation Mean?

This settlement with PSMC emphasizes OCR’s enforcement of HIPAA’s Access Control and Person or Entity Authentication requirements. Organization’s must have unique user credentials for each user that interacts with PHI. Additionally, organizations should follow the principal of least privilege – User access should be disabled when PHI access is no longer necessary (IE. An employee leaving, staff not needing patient access, etc). Administrative policies should be in place for managing access control, employee access, and vendors. Business Associates Agreements (BAA) must be signed with all 3rd party vendors that handle protected health information (PHI).


How Can Dash Help?

Unlike many solutions which address either technical controls or administrative controls, Dash empowers users to customize and create policies then enforce those policies via continuous compliance monitoring.  For this specific violation, the Dash Employees Policy will cover specifics on how to address access controls for terminated or former employees and contractors.  By connecting this policy to IAM role related monitoring and the System Access Policy, Dash users can prevent this exact issue in a customized and proactive manner.