October 30, 2020
Just when we thought the month was over, the Office for Civil Rights (OCR) decided to sneak one more HIPAA fine in at the last minute. Earlier today the OCR announced October’s FOURTH fine – this time with the City of New Haven, Connecticut who has agreed to pay a $202,400 fine and complete 2-year corrective action plan after violating the HIPAA Privacy and Security Rules.
The 15th settlement of the year came as a result of HIPAA violation back in January 2017 that sounds almost like a TV drama. Back in 2017, the incident began when the New Haven Health Department notified the OCR that a former employee appeared to have accessed a file on a computer containing protected health information (PHI).
After some OCR sleuthing, it was revealed that 8 days after being fired in July 2016, the same employee returned to the health department and logged into her old computer with still-active credentials (we’re picturing her with a large hat, sunglasses and a trench coat) and downloaded the PHI of 498 individuals to a USB drive. The malicious download included patient names, addresses, and other personal medical information. And as if this really was a binge-worthy TV show (grab the popcorn) the former employee then shared her login ID and password with an intern – who continued to do the dirty work for her.
On top of the drama-filled breach, the OCR investigation also uncovered major gaps in the health department’s HIPAA program, including:
- An enterprise-wide security risk analysis
- Proper termination procedures
- Access controls
- Documented HIPAA policies and procedures
We’ve seen a number of recent HIPAA settlements centering around improper access, but in this case the unauthorized access came as a result of the New Haven Health Departments’ failure to have proper employee offboarding procedures. The simplest task of deactivating the employee’s login credentials could have saved the organization a huge chunk of change, and kept 498 patients’ information better protected.
You can never really predict when an employee will ‘go rogue’, and not having a termination system in place – or even just waiting a few days to disable access – can be a costly mistake. Having a comprehensive plan from an employee’s first day to their last is an important aspect of general operations, but especially your HIPAA compliance program. OCR Director Roger Severino said it best: “Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records.”