The U.S. Department of Health and Human Services Office of Civil Rights recently announced that Pagosa Springs Medical Center (“PSMC”) in Colorado has agreed to pay $111,400 to resolve allegations that it potentially violated HIPAA’s Privacy and Security Rules.

OCR opened its investigation into PSMC over allegations that a former employee of PSMC had obtained remote access to the hospital’s electronic scheduling system, which contained electronic protected health information (ePHI). OCR’s investigation revealed that, through this former employee’s ability to continue accessing the web-based scheduling system, PSMC impermissibly disclosed the ePHI of 557 individual patients. Additionally, OCR’s investigation discovered that PSMC did not have a business associate agreement in place with the web-based scheduling system vendor, which also violated HIPAA.

In addition to paying $111,400, PSMC has also agreed to a two-year corrective action plan that will require it to update its security management, review and update all business associate agreements, assess all vendor relationships to ensure ePHI is not disclosed to vendors before having business associate agreements in place, address policy and procedure improvements regarding protecting ePHI, and training its entire workforce on such privacy and security measures.