Knowing who has access to your PHI and who does not

Jay P. Anstine (jay.anstine@bannerhealth.com) is the Area Compliance Program Director for Banner Health’s Western Region Rural Hospitals, based in Greeley, CO.

On December 11, 2018, the Department of Health and Human Services, Office for Civil Rights (OCR) announced a settlement with a critical access hospital in Colorado, Pagosa Springs Medical Center (PSMC),[1] which agreed to pay $111,400 to resolve alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

According to the settlement, OCR alleged that from July to September of 2013, PSMC impermissibly disclosed the protected health information (PHI) of 557 individuals. The cause of the impermissible disclosures was attributable to two sources. First, the hospital failed to deactivate a former employee’s credentials to access a web-based scheduling calendar. Additionally, through the course of the investigation, it was discovered that PSMC did not have a business associate’s agreement (BAA) with Google, the contracted vendor providing the software.

This document is only available to members. Please log in or become a member.
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field