In late 2018, the OCR entered an $111,400 settlement with Pagosa Springs Medical Center (PSMC), a Colorado critical access hospital. The OCR alleged that the hospital failed to terminate a former employee’s remote access to the hospital’s scheduling calendar, which includes patient PHI. The OCR also alleged that the hospital failed to enter a Business Associate Agreement with the scheduling calendar vendor.
OCR Director Roger Severino made the following comments about the settlement: "It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment… This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t."
This settlement raises two import issues, both surrounding the increase of apps and affordable software add-ons. Technology is making it easier to run healthcare offices by adding software and applications that integrate with existing systems, rather than building expensive custom solutions. This has many benefits for providers. But it also means more employee usernames and passwords, and many more business associates!
Your organization must track employee credentials. Someone must track all employee user names and passwords for every software and application. In particular, timely remove credentials due to all separations, voluntary and non-voluntary. In organizations of all sizes, small and large, there needs to be an established and well-communicated procedure to communicate employee separations from department managers to human resources and IT. Any delay in the communication stream that results in active credentials after separation leaves an organization open to unauthorized access and possible HIPAA breaches. Also be careful to secure all databases that contain employee credentials. Unauthorized access to the credential database is also a potential HIPAA breach.
Any software program or app vendor you are using is also a potential business associate. If PHI is involved, a BAA is needed. Make sure a BAA inventory is kept so all of these processes are tracked, and BAAs are logged. Also make sure there is a process to review all potential new programs or services for potential interaction with PHI before purchase or contracting, so HIPAA concerns and BAA negotiation can occur before the deal is done.