Former Employees’ Retention of Login Credentials Can Cost You
HHS announced another HIPAA settlement resolution at the end of last year, this time with Pagosa Springs Medical Center, a Colorado Hospital, for a violation of HIPAA’s security provisions. The settlement will cost the hospital $111,400. The complaint alleged that former hospital employees had access to electronic protected health information (PHI) in the form of the hospital’s web-based scheduling calendar, and HHS stated clearly in the settlement that former employees should immediately loose access to PHI upon their termination of employment. Under the settlement with HHS, the hospital must pay the settlement fine, as well as update its security management and business associate agreements, policies and procedures, and train its workforce members regarding the same.
This settlement should be a wake-up call for self-funded health plan sponsors whose employees have access to protected information under HIPAA. While this particular breach was by a hospital, this breach could have happened to almost any company. A single violation of HIPAA can lead to the $1,711,533 cap per violation very quickly (as HHS has the authority to penalize a covered entity up to $57,051 per violation per individual impacted). A similar breach in 2017, where former employees accessed PHI after their employment, resulted in a $5.5 million settlement against Memorial Healthcare System.
To avoid this type of breach, access control standards should be implemented to prohibit unauthorized access to PHI. All employees that have access to electronic PHI are required to have a unique name or number for identifying and tracking users, and such logins should be immediately disabled once an employee is terminated or no longer has a need to access a particular system. It is important to remember not just internal system logins, but also logins to external sites (e.g., the logins for the site of your plan’s TPA). Employers must create and enforce procedures for monitoring login attempts and reporting discrepancies. The procedures should designate who is responsible for monitoring logins, the process for monitoring logins, the process for identifying inappropriate logins and users with unauthorized access, and actions to be taken in response to an inappropriate login.
Although the cost of doing a risk analysis and updating your HIPAA policies and procedures can seem burdensome, complying with HIPAA today can prevent hundreds of thousands or even millions of dollars in penalties tomorrow. If you haven’t paid much attention to your plan’s HIPAA compliance lately, we hope this settlement makes you dust off your policies and consider whether additional trainings or procedures are necessary to help protect your company and your participants’ data. If you need assistance, we have a team of HIPAA experts that can assist. Please reach out to any Graydon attorney and they can put you in touch with the right attorney.