OCR Settlements

Written by Charles Gardner

April 14, 2021

Let’s take a look at two different OCR settlements for HIPAA violations to see what we can learn. (While this draws from HIPAA specific settlements, the concept is universally relevant.) In December 2018, OCR published a settlement with a Colorado hospital over failure to terminate a former employee’s access. In short, a former employee still had access to a Google Calendar that included patient data. No mention is made of other access, so it is likely the hospital correctly terminated access to many accounts, like their EMR and computer network, but they missed one system. They may have gotten it 90%+ right, but this error led to a $111,400 settlement and a two year corrective action plan.

Settlement with the City of New Haven, Connecticut

More recently, in October 2020, the OCR published a settlement with the City of New Haven, Connecticut over failure to remove access for a terminated user. Eight days after the employment termination, the now previous employee accessed the computer system and downloaded PHI (protected health information). The previous employee also shared these credentials with an intern who used the credentials to access PHI. This incident came to a $202,400 settlement and a two year corrective action plan. In each case, it does not appear to be a technical failing, even though each involves electronic access to data. Instead, both appear to stem from a procedural failure to ensure a terminated user’s access is revoked to all systems in a timely manner.

You need to ensure the onboarding and offboarding of your employees occurs with a reliable process and cooperative communication between HR, IT, and operations. When there are clear processes and methods of communication, problems like the above ones are avoided, and everyone can sleep a little easier at night. Contact Sterling Ideas to get more info on OCR Settlements or to see how we can protect your IT Infrastructure and organization.

Sign Up for Our Monthly Newsletter

Our monthly newsletters keep you up-to-date on the world of technology. Each month, we feature a letter from Charles, an article about current technology, and an introduction to one of our team members. Sign up below to receive them, free of charge or obligation, every month.

Fill out my online form.

Skip to content