On December 11, 2018, the HHS Office for Civil Rights (OCR) announced a settlement of $111,400 with Pagosa Springs Medical Center (PSMC) located in Colorado. The settlement was the outcome of a HIPAA enforcement action following the findings of an OCR investigation that was triggered by an allegation that a former employee of PSMC still had access to ePHI via a web scheduling client used by PSMC.
According to OCR Director Roger Severino, “it’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment.”
However, ensuring removal of access alone for the terminated employee would not have prevented PSMC as a Covered Entity (CE) from meeting other HIPAA requirements. OCR’s investigation revealed that PSMC did not have a Business Associate Agreement (BAA) in place with either the web-based scheduling calendar vendor, nor with the employee, thus ensuring the ePHI of 557 individuals were made vulnerable to attacks.
Under a two-year Corrective Action Plan, PSMC must now update its security management and business associate agreement, as well as its policies and procedures, and must now re-train its employees and workers so that they are up to speed on these changes.
The takeaway from this settlement agreement is that organizations that do not have or follow procedures to terminate information access privileges upon employee separation that results in a breach face possible HIPAA enforcement action by OCR. It is also important to make sure any process that records, shares, transmits, or modifies ePHI is thoroughly detailed in the BAA. Some CEs attempt to save money and time by establishing a work-around, which involves anonymizing ePHI while using web-based scheduling or communication apps without a BAA. However, such an undertaking is difficult to standardize in the long run. It is ultimately more cost-effective for CEs to take the time and resources to set up a BAA with relevant vendors, in order to avoid an investigation for failing to enforce HIPAA privacy and security mandates.
Best Practice Lessons from this case:
- The CE representative facilitating an employee’s termination must also have the ability and training to revoke and remove any previous access authorizations held by the employee. This must take place at the same time as when the notice of termination is provided.
- CEs must complete BAAs with any vendor who provides the CE with the ability to record, modify, transmit, or share ePHI.
- At the time of onboarding, all employees must be made aware that their employer requires them to give up all access and authorizations upon termination or voluntary departure from the company.
- Training materials for employee onboarding should include privacy and security awareness related to:
a) use of third-party services and applications;
b) terms and conditions that trigger the creation of a BAA;
c) assurances provided by Bas regarding policies and procedures to secure ePHI;
c) security incident reporting; and
d) password management.
- Supervisors and other responsible officials must be trained to undertake oversight of employees' uses and disclosures of PHI, including ePHI, in order to ensure compliance with HIPAA regulations.
An overall best practice for any organization, regardless of size, is to utilized a termination checklist. The checklist should cover critical areas like information network system access, physical access to office or facility, and the return of any of the organization’s property to include any mobile devices. Finally, I always recommend issuing the terminated employee a letter reminding them of their legal and privacy obligations regarding protected health information they had access to.