Let’s take a look at two different OCR settlements for HIPAA violations to see what we can learn. (While this draws from HIPAA specific settlements, the concept is universally relevant.) In December 2018, OCR published a settlement with a Colorado hospital over failure to terminate a former employee’s access. In short, a former employee still had access to a Google Calendar that included patient data. No mention is made of other access, so it is likely the hospital correctly terminated access to many accounts, like their EMR and computer network, but they missed one system. They may have gotten it 90%+ right, but this error led to a $111,400 settlement and a two year corrective action plan.
Settlement with the City of New Haven, Connecticut
More recently, in October 2020, the OCR published a settlement with the City of New Haven, Connecticut over failure to remove access for a terminated user. Eight days after the employment termination, the now previous employee accessed the computer system and downloaded PHI (protected health information). The previous employee also shared these credentials with an intern who used the credentials to access PHI. This incident came to a $202,400 settlement and a two year corrective action plan. In each case, it does not appear to be a technical failing, even though each involves electronic access to data. Instead, both appear to stem from a procedural failure to ensure a terminated user’s access is revoked to all systems in a timely manner.
You need to ensure the onboarding and offboarding of your employees occurs with a reliable process and cooperative communication between HR, IT, and operations. When there are clear processes and methods of communication, problems like the above ones are avoided, and everyone can sleep a little easier at night. Contact Sterling Ideas to get more info on OCR Settlements or to see how we can protect your IT Infrastructure and organization.