Recent Settlement Demonstrates the Importance of Termination Procedures

Recent Settlement Demonstrates the Importance of Termination Procedures

The HIPAA Security Rule requires covered entities and business associates to implement reasonable and appropriate safeguards for the protection of electronic protected health information (ePHI). The Workforce Security standard requires policies and procedures to be implemented to ensure that all workforce members have appropriate access to ePHI. This includes implementing procedures for terminating access to ePHI when an employee quits, is terminated or has a change in duties that no longer require access to ePHI.

Failing to adhere to the Workforce Security standard to terminate access can be costly as it was in the following settlement:

Recently announced by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), Pagosa Springs Medical Center (PSMC) agreed to pay $111,400 and to adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules. It turns out a former PSMC employee continued to have remote access to PSMC's web-based scheduling calendar, which contained patients' ePHI, after separation of employment. OCR determined that PSMC impermissibly disclosed the ePHI of 557 individuals to its former employee and to the web-based scheduling calendar vendor without a HIPAA required business associate agreement in place.

As part of their corrective action said to be a two-year plan, PSMC has agreed to update its security management and business associate agreement, policies and procedures, and train its workforce members.

Important Takeaways!

The OCR has made it clear that covered entities must have and follow procedures to terminate access to protected information upon an employee's separation. Failure to do so could result in a HIPAA enforcement action. Additionally, the OCR stressed the importance of evaluating relationships with vendors to ensure that business associate agreements are in place with all business associates before disclosing protected health information.

Have questions about a vendor relationship or termination procedures? We can help. Please contact us by email: [email protected] or by phone: 855-427-0427.