A settlement agreement with Pagosa Springs (Colo.) Medical Center that the Department of Health and Human Services’ Office for Civil Rights announced this week highlights important, but perhaps sometimes overlooked, privacy and security risk issues associated with access to electronic protected health information. The settlement resolves a complaint alleging that the hospital impermissibly disclosed electronic PHI to a former employee, and to a web-based scheduling calendar vendor without a business associate agreement in place. Pagosa Springs, a critical access hospital, agreed to pay $111,400 and adopt a corrective action plan to settle these potential violations of the Health Insurance Portability and Accountability Act privacy and security rules. “Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action,” OCR said. “Covered entities must also evaluate relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.”

Related News Articles

Headline
Microsoft July 19 issued an alert about active attacks from vulnerabilities targeting SharePoint servers used within organizations. The incidents have not…
Headline
In his latest AHA Cyber and Risk Intel blog, Scott Gee, AHA deputy national advisor for cybersecurity and risk, explains how hospitals can prepare for and…
AHA Cyber Intel
In today’s heightened threat environment, driven by domestic and geopolitical issues, it is more critical than ever for hospitals to prepare for and mitigate…
Headline
In a statement submitted to the Senate Health, Education, Labor and Pensions Committee for a hearing today on health care cybersecurity and patient privacy,…
Headline
Cyberattacks on hospitals are urgent threats to patient safety, care delivery and public trust. In this conversation, Ajay Gupta, board chair of Trinity Health…
Headline
The Food and Drug Administration yesterday released a safety notice announcing a software patch is available to address cybersecurity vulnerabilities in…