Hopefully you can answer this question, with 100% certainty, with a single word: Zero.
But that’s often not the case.
Recently, the City of New Haven, CT, entered a $202,400 settlement with the OCR to resolve potential HIPAA Privacy and Security Rule violations.
The New Haven Health Department filed a breach report after “a former employee returned…eight days after being terminated, logged into her old computer with her still active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted diseases test results onto a USB drive.” This former employee also gave her user name and password to an intern.
MPA sees this scenario frequently – an employee leaves, access is not terminated in a timely manner, and the former employee continues to log in (typically out of curiosity).