The City of New Haven, Connecticut (New Haven) has agreed to pay $202,400 to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) and to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. The New Haven Health Department, among other things, operates a public health clinic that provides preventative medical services, including adult and pediatric immunizations.
In January 2017, the New Haven Health Department filed a breach report with OCR stating that a former employee may have accessed a file on a New Haven computer containing the protected health information (PHI) of 498 individuals. OCR’s investigation revealed that, on July 27, 2016, a former employee returned to the health department, eight days after being terminated, logged into her old computer with her still-active user name and password, and downloaded PHI that included patient names, addresses, dates of birth, race/ethnicity, gender, and sexually transmitted disease test results onto a USB drive. Additionally, OCR found that the former employee had shared her user ID and password with an intern, who continued to use these login credentials to access PHI on New Haven’s network after the employee was terminated.
OCR’s investigation determined that New Haven failed to conduct an enterprise-wide risk analysis, and failed to implement termination procedures, access controls such as unique user identification, and HIPAA Privacy Rule policies and procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
In addition to the monetary settlement, New Haven has agreed to a robust corrective action plan that includes two years of monitoring. The resolution agreement and corrective action plan may be found here – PDF*.
*People using assistive technology may not be able to fully access information in this file. For assistance, contact the HHS Office for Civil Rights at (800) 368-1019, TDD toll-free: (800) 537-7697, or by emailing [email protected].
Source: U.S. Department of Health & Human Services