Pagosa Springs Medical Center agreed to pay the federal government $111,400 to settle an allegation it failed to protect patient health information.
The hospital also agreed to update its security management among other changes to settle a complaint alleging it released health information to a former employee and posted it to a web-based scheduling calendar, according the Office for Civil Rights at the U.S. Department of Health and Human Services.
Health and Human Services released the agreement it reached with the hospital last week. The agreement settles potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules, according to a Health and Human Services news release.
“Back in 2013 when the breach occurred, PSMC accepted responsibility for the breach and since that time has anticipated the settlement agreement and fine that finally arrived,” said Ann Bruzzese, chief administrative officer and attorney for Pagosa Springs Medical Center in an email to The Durango Herald.
However, the hospital did not admit to any legal liability as part of the agreement.
Health and Human Services was investigating the hospital for failing to terminate a former employee’s user name and password to a Google web-based calendar in 2013, according to the agreement. The failure resulted in improper sharing of health information from 557 patients.
The Google calendar contained patient names, and in some instances, a statement of a procedure that was going to be performed, Bruzzese said.
The hospital was also fined for releasing patient information to Google without having a business associate agreement required by HIPAA in place, the HHS agreement said. The hospital was charged $100 per patient each time information was released, Bruzzese said.
After the patient information was released, the hospital notified all affected patients in writing and published information about the breach in The Pagosa Springs Sun, she said.
In 2014 and 2015, the hospital determined how the release of information happened and then prepared a plan and took steps to prevent information from being released improperly again, she said. The hospital reported its work to the Office of Civil Rights, she said.
However, the hospital will also have to complete a two-year action plan to settle the complaint in addition to the steps it has already taken, Bruzzese said.
The two-year plan requires staff training, updating security management and revising agreements it must have with businesses before it can release patient information.