New Haven, Connecticut failed to terminate an employee’s access to their Health Records System after the employee left. The former employee may have accessed a file containing the Protected Health Information of only 498 Patients.
Why is this significant?
500 patients is the tipping point for appearing on the “Wall of Shame” which lists breaches that involve 500 patients or more. Up until now you may have thought that if your breach was not big enough to make that list you were not in line for a large fine. Time to think again.
OCR’s investigation revealed that, on July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results onto a USB drive. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated.
It is vital that once an employee leaves your practice that you:
Terminate all of their usernames and passwords
Terminate their physical access to any sensitive areas of your practice.
Now is a good time to look at your systems and make sure that you don’t have any ‘left over’ accounts that are still active that you should have shut down. Areas where you need to look include:
EHR Systems
Billing Systems
Digital Imaging Systems
Workstations
And any other computerized system you may have.
You also need to make sure you terminate access to email accounts associated with your practice, this item is often overlooked.
This failure to close the accounts of the terminated employee cost the city of New Haven over $200,000 and they now have to implement a corrective action plan.
For more information and to get assistance with getting your HIPAA Security Program contact TLD Systems at 631 403 6687.
Read Comments