A Colorado Hospital reached an $111,400 settlement with the Office for Civil Rights (“OCR”) for failing to terminate a former employee’s access to electronic protected health information. OCR’s investigation uncovered that the hospital impermissibly disclosed electronic protected health information of over 500 individuals to the former employee because it failed to terminate that employee’s access. Additionally, OCR found that the hospital impermissibly disclosed information to Google Calendar, without a business associate agreement. There are two main takeaways here.
First, with the New Year around the corner, it would be a great time to reexamine your HIPAA policies and procedures. OCR makes clear that it does not take a breach of protected health information in order to be subject to an enforcement action. Rather, OCR’s Director states that: “Covered entities that do not have or follow procedures to terminate information access privileges upon employee separation risk a HIPAA enforcement action. “ Therefore, all organizations must ensure that they have proper procedures and safeguards in place for when employees leave.
Second, covered entities must have business associate agreements in place with all organizations, even web-based platforms, which will maintain, use or disclose electronic protected health information. As a prophylactic measure in the new year, we recommend conducting an audit of your organization’s vendor agreements, examining (1) whether the vendor maintains, uses or discloses protected health information and (2) if so, whether there a compliant business associate agreement in place.