A Colorado hospital faces a hefty settlement after failing to have an essential contract required under HIPAA rules. Pagosa Springs Medical Center neglected to cut-off availability to a remote access system for a former employee. The former employee filed a complaint with the Office for Civil Rights stating that they still had a working username and password to an electronic health information system. This system gave them the ability to see an online patient scheduling calendar, which included protected health information of 557 patients.
The Office for Civil Rights launched an investigation into the former employee’s complaint, unveiling that the hospital failed to have a business associate agreement with the online scheduling vendor. Any business working with an entity that requires access to protected patient information is required to have a business associate agreement under HIPAA. These contracts are intricate and important to keep the public’s information as secure as possible.
What penalties are involved?
The hospital will pay $111,400 to the Office for Civil Rights and has agreed to follow a corrective action plan to settle HIPAA violations. Under the plan, the hospital will incorporate:
- New employee training
- Updated business associate relationships and uses of protected patient information
- Updated risk analysis and risk management processes
An important takeaway for businesses
Overlooking policies and agreements was an expensive mistake for Pagosa Springs Medical Center. Other businesses can learn from the hospital’s error. The best way to avoid fines, violations and litigation is to ask your legal counsel to intervene early. Business owners have a lot to handle and cannot possibly know every angle in which they are vulnerable to legal issues. You can work with a business law firm for the following issues:
- Create strict procedures: Businesses need detailed policies for employee departures. Employees should no longer have access to online systems, company information or client/patient information. Not only could former employees scalp clients, but they could steal personal information for fraud purposes.
- Review vendor agreements: Vet agreements with vendors to determine if you require a business associate agreement or another type of contract.
Establishing detailed contracts and agreements can help businesses avoid legal issues and mitigate financial consequences if an issue arises. When litigation does become necessary, you will be prepared.