Failure to terminate former employees' access to company information can be a costly mistake. That's a lesson Pagosa...
Springs Medical Center, a critical access hospital in Pagosa Springs, Co., learned the hard way.
Pagosa Springs Medical Center has been fined $111,400 by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS). The settlement stemmed from a 2013 complaint that alleged a former employee was able to access the hospital's web-based scheduling calendar, which contained patient protected health information (PHI), after the employee was terminated.
An OCR investigation revealed that the PHI of 557 individuals was impermissibly disclosed not only to the former employee, but to the web-based scheduling calendar vendor as well, according to an HHS news release. Google, the vendor named in the resolution agreement, and Pagosa Springs Medical Center did not have a HIPAA-required business associate agreement in place, the release said.
"The fact that Google missed it here, as well as Pagosa, is pretty distressing," said Kate Borten, a HIPAA and health information privacy and security expert.
Borten described the HIPAA violations as "significant." They include failure to recognize a HIPAA business associate and sign a contractual agreement with the associate before patient information was exchanged, as well as not having reasonable and effective termination processes established.
Both entities should have recognized that the proper written agreement ensuring Google would appropriately safeguard patient PHI wasn't in place, Borten said.
Two major takeaways
Borten said healthcare CIOs should view the settlement as a stark reminder about system security. She listed two major takeaways for them:
- Use HIPAA settlements as a proactive tool
Any HIPAA-covered entity or HIPAA business associate should be on the HHS mailing list to receive notifications whenever announcements regarding settlements like Pagosa Springs Medical Center are made.
"Management, whether it's CIOs, CISOs, somebody needs to be designated to be on that mailing list to read those cases like this one," she said. "They can be used as a way to check and educate your own organization."
Borten said CIOs can obtain a wealth of information from resolution agreements and corrective action plans. The plans should be seen as tools to conduct internal security checks or to review policies.
She also described resolutions as a training tool for management. In the case of Pagosa Springs Medical Center, the lesson is how to engage with business associates. Borten said formally recognizing business associates and making sure appropriate contracts are in place are crucial to keeping patient information private and secure.
- Develop clear policies that outline responsibility
Borten said healthcare organizations often lack policies to directly inform hospital management about terminations not only for direct staff, but for employees of third-party companies granted access to the organization's systems.
She advised internal management, not security, be responsible for keeping in touch with third-party companies. Hospital management should be made aware when anyone who has been given access to the hospital's systems has been terminated.
"It's that manager or financial director's responsibility to say, 'Remember, you have to tell me as soon as any of your employees are terminated, any employee who has access to our systems,'" Borten said. "That is not necessarily the norm today anywhere. And I think that's a big gap."
Pagosa Springs Medical Center agrees to corrective action plan
Along with the fine, the hospital agreed to adopt a two-year corrective action plan to settle potential HIPAA violations. As part of that plan, Pagosa Springs Medical Center has agreed to update its policies and procedures, along with its security management and business associate agreement. The organization has agreed to then train its workforce regarding updated policies and procedures.
At the time of OCR's investigation, Pagosa Springs Medical Center provided more than 17,000 hospital and clinic visits annually and employed more than 175 individuals.