Assertive, Intelligent Representation For Public & Private Entities

HIPAA penalizes medical center for cyber security breaches

The Health Insurance Portability and Accountability Act (HIPAA) is legislation that protects the privacy of medical information. Founded in 1996, the law covers a wide range of issues involving medical care. In recent years, HIPAA Privacy Rule (officially known as Standards for Privacy of Individually Identifiable Health Information) has become increasingly important in battling against and prosecuting data breaches caused by hackers and others who unlawfully access this private information.

The Department of Health & Human Services’ Office of Civil Rights announced that the Pagosa Springs Medical Center (PSMC) failed to discontinue the username and password access of a former employee. This enabled the former worker to get into the database of the critical access hospital in Colorado.

The violation

According to the original complaint, the former PSMC employee still had remote access to electronically protected health information after leaving the company. The security failure meant the employee still had access to the scheduling calendar, which meant access to the patients’ protected health information (PHI). All told, this breach of protected information affected 557 individuals. During the investigation, it was also determined that the PSMC also did not have the required business associate agreement (BAA) with the vendor who handled scheduling.

The penalty and solution

PSMC must pay a fine of $111,400 to Office for Civil Rights (OCR). According to the Health and Human Services, the company also agreed to adopt a comprehensive two-year plan to address all potential HIPAA violations. To address the issue and prevent future missteps, PCHC will take the following steps:

  • Update policies and procedures involving business associates and disclosures
  • Update the security management process
  • Incorporate training to employees and workforce

Ignorance is not an excuse

It is up to businesses to make sure they are compliant with all applicable laws involving HIPAA and the BAA. Attorneys with a background of employment law here in California can be a tremendous asset in addressing these issues, helping them to avoid the cost of penalties as well as exposure to lawsuits.