Do you have a good policy in place to terminate access privileges upon employee separation?

A recent enforcement action against Pagosa Springs Medical Center related to the facility’s failure to have good procedures in place upon the separation with employees. The Hospital–a critical access hospital–has agreed to pay $111,400 to the Office of Civil Rights (OCR) and adopt a corrective action plan for the alleged violations. The hospital failed to discontinue remote access for a separated employee, which allowed the former employee access to the Hospitals’ web-based scheduling calendar, which contained protected heath information (PHI). Further investigation by OCR also revealed that the hospital failed to have a Business Associate agreement in place with the calendar vendor.

Under the corrective action plan, the Hospital has agreed to update its security management policies and procedures, as well as its business associate policies and procedures. It will also retain its workforce.

The press release issue by OCR quoted OCR Director Roger Severino, saying, “It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment. This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”

Consider whether you have an appropriate policy and procedure in place to terminate all access privileges upon employee separation, or risk a HIPAA enforcement action. Now would also be a good time to evaluate all vendor relationships to make sure a Business Associate Agreement is not required.

The resolution agreement and corrective action plan may be found at the OCR website here: http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/pagosasprings.

Tricia L. Hoffman-Simanek
Tricia Hoffman-Simanek is an Attorney and Senior Vice President at Shuttleworth & Ingersoll, P.L.C. Her legal work focuses on civil litigation, professional malpractice and insurance law.