Hospital Fails to Terminate Former Employee’s Access to HIPAA-Protected Data

A recent HIPAA enforcement action should serve as a reminder to healthcare organizations of the need to terminate an employee’s access to patients’ electronic protected health information (ePHI) immediately after that employee leaves the organization.

The most recent action – the third within a month – involved Pagosa Springs Medical Center in Colorado. The critical access hospital agreed to pay $111,400 to the Office for Civil Rights at the U.S. Department of Health and Human Services and to adopt a corrective action plan.

The case grew out of a complaint initiated in 2013 and which led to the determination that the hospital disclosed the ePHI of at least 557 individuals to a former employee who had retained remote access to the facility’s web-based scheduling calendar, even after the employee had stopped working there. In addition, the hospital also was found to have disclosed the information to Google, its scheduling vendor, without obtaining a Business Associate Agreement.

As we wrote about a couple of weeks ago, Business Associate Agreements are necessary to protect healthcare organizations from violating HIPAA. It stipulates how protected health information can be used.

In addition to the fine, Pagosa Springs Medical Center must (1) update its policies and procedures relating to business associate relationships, (2) update security management processes by conducting a thorough risk analysis of security risks and vulnerabilities and (3) conduct employee training relating to the disclosure of protected health information.

Earlier this month, a Connecticut healthcare provider agreed to settle a HIPAA case after one of its doctors discussed a patient’s case with a television station.

HIPAA can be violated in a number of ways. From the accidental mishandling of patient information, to outright data breaches, healthcare organizations must be diligent in their effort to protect patient privacy.

The Health Law Offices of Anthony C. Vitale can assist you in establishing proper HIPAA rules and procedures, as well as defending you should a HIPAA breach occur. Contact us for additional information at 305-358-4500 or send us an email to and let’s discuss how we might be able to assist you.

Posted in
The Health Law Offices of Anthony C. Vitale

The Health Law Offices of Anthony C. Vitale