The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”).

In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password for a web-based scheduling calendar, which included patients’ electronic PHI.  Further, the hospital failed to have a business associate agreement in place with the web-based scheduling calendar vendor, as required by HIPAA.

In the Corrective Action Plan, the hospital will update its security management and business associate agreements (and associated policies and procedures) and provide additional training to its workforce about those matters.

You can read the HHS Press Release and the Resolution Agreement here:

If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.