Failure to terminate access of departing employee leads to HIPAA penalty


A critical access hospital in Colorado will pay $114,000 in a settlement with the Office of Civil Rights (OCR) stemming from the failure to terminate a former employee’s access to a hospital database containing protected health information (PHI).

OCR recently announced the settlement with Pagosa Springs Medical Center. OCR’s investigation found that a former employee of the hospital continued to have remote access to the hospital’s web-based scheduling calendar, which contained patients’ PHI even after separation of employment, allowing the former employee access to the PHI of 557 individuals. Additionally, the investigation found that the hospital did not have a business associate agreement in place with the web-based scheduling calendar vendor.

In a prior enforcement action, a health system paid $5.5 million to settle alleged HIPAA violations when the login credentials of a former employee of an affiliate were used to access a database containing PHI on a regular basis without detection for a year.   

HIPAA requires covered entities to have workforce security policies in place regarding the right of access to PHI. Specifically, covered entities must implement procedures “for terminating access to electronic protected health information when the employment of, or other arrangement with, a workforce member ends.” Keep in mind, as the Pagosa Springs Medical Center case shows, these policies should not be limited to termination of access to the covered entity’s EHR but, rather, any and all systems or databases that include PHI.

Industries & Practices

Media Contact

Subscribe to Receive Updates
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.