OCR reaches $111,400 settlement with Colorado hospital

Pagosa Springs Medical Center (PSMC) in Pagosa Springs, Colorado, has agreed to pay $111,400 to the Office for Civil Rights (OCR) and to adopt a substantial corrective action plan in a settlement over alleged HIPAA violations, OCR announced earlier this month.

This settlement comes as a resolution to a complaint alleging that a former PSMC employee continued to have access to patients’ electronic protected health information (ePHI) after his or her employment at PSMC ended.

OCR’s investigation found that the failure to deactivate the former employee’s user name and password led to the impermissible disclosure of ePHI of 557 individuals to that former employee and to Google, PSMC’s web-based scheduling calendar vendor. OCR’s investigation also found that PSMC did not have a business associate agreement with Google as required by HIPAA (see 45 C.F.R. § 164.502(a)).

The two-year corrective action plan requires PSMC to:

• Revise its policies and procedures related to business associate relationships
• Revise its policies and procedures related to the uses and disclosures of PHI
• Develop a comprehensive and thorough analysis of security risks and vulnerabilities
• Provide HHS with a risk management plan that addresses and mitigates the security risks and vulnerabilities
• Develop training materials on the revised policies and procedures and submit them to HHS for review
• Submit reports to HHS regarding its compliance with the corrective action plan

Read the full resolution agreement here.