HIPAA settlement highlights need to protect PHI access when staff leave

Dec 13, 2018 - 02:41 PM
HIPAA-settlement

A settlement agreement with Pagosa Springs (Colo.) Medical Center that the Department of Health and Human Services’ Office for Civil Rights announced this week highlights important, but perhaps sometimes overlooked, privacy and security risk issues associated with access to electronic protected health information. The settlement resolves a complaint alleging that the hospital impermissibly disclosed electronic PHI to a former employee, and to a web-based scheduling calendar vendor without a business associate agreement in place. Pagosa Springs, a critical access hospital, agreed to pay $111,400 and adopt a corrective action plan to settle these potential violations of the Health Insurance Portability and Accountability Act privacy and security rules. “Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action,” OCR said. “Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.”

Related News Articles

Headline
Partnership releases cybersecurity crisis response guide
The Health and Public Health Sector Coordinating Council, a public-private partnership, yesterday released a crisis response guide to help health care…
Headline
Partnership issues guidance for protecting health care innovation capital
The Healthcare and Public Health Sector Coordinating Council, a public-private partnership developed to mitigate threats to the nation’s health care sector,…
Headline
FBI, CISA warn of serious nation state cyber threats, other top vulnerabilities
China and its proxies have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines…
Headline
HHS reminds health care providers of HIPAA’s privacy provisions for media coverage
The Department of Health and Human Services Tuesday reminded health care providers that HIPAA privacy rules bar them from giving media and film crews access to…
Headline
DHS, CISA update telework guidance
The Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency have updated their telework guidance to include new guidance on…
Headline
Podcast: A conversation with the DHS about COVID-19 cyber threats
Cyber actors have launched phishing campaigns against first responders, initiated denial-of-service assaults against government agencies and threatened medical…