Colorado Hospital That Failed to Remove Former Employee’s Access to Web-Based Calendar Pays to Settle HIPAA Violation

A Colorado hospital will pay $111,400 and adopt a "substantial" corrective action plan to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules after it failed to terminate a former employee's access to protected health information (PHI), the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) announced on December, 11, 2018. The settlement resolves a complaint alleging that the facility, a critical access hospital that employs more than 175 individuals, did not remove a former employee's remote access to a web-based scheduling calendar. The calendar contained patients' electronic PHI (ePHI), OCR said, and as a result the facility impermissibly disclosed the ePHI of 557 individuals to the former employee and to the calendar vendor, with whom it did not have a HIPAA-required business associate agreement in place.