The U.S. Department of Health and Human Services, Office for Civil Rights (“HHS”) just announced an $111,400 settlement and substantial corrective action plan for a Colorado hospital whose former employee still had access to electronic patient protected health information (“PHI”).

In 2013, Pagosa Springs Medical Center failed to de-activate a former employee’s username and password for a web-based scheduling calendar, which included patients’ electronic PHI.  Further, the hospital failed to have a business associate agreement in place with the web-based scheduling calendar vendor, as required by HIPAA.

In the Corrective Action Plan, the hospital will update its security management and business associate agreements (and associated policies and procedures) and provide additional training to its workforce about those matters.

You can read the HHS Press Release and the Resolution Agreement here:

If your office would like guidance on how it can prevent HIPAA violations from occurring, please contact our firm.

Danielle Dietrich is a healthcare and litigation attorney in Tucker Arensberg’s Long Term Care Practice Group. She is licensed to practice law in Pennsylvania, Ohio and West Virginia.  Danielle can be reached via email:, telephone: 412-594-5605 or on Twitter at @DLDietrich.