City Health Department Failed to Terminate Former Employee’s Access to Protected Health Information

The Office for Civil Rights (“OCR”) announced today that the City of New Haven, Connecticut (“City”), which operates a public health clinic, has agreed to pay $202,400 and enter a corrective action plan to settle allegations of a potential violation of the Health Insurance Portability and Accountability Act (“HIPAA”). In January 2017, the City filed a breach report indicating that a former employee may have obtained access to protected health information (“PHI”) contained in the City’s electronic medical record system after the date of her termination. Specifically, the employee returned to the health department more than one week after her termination and used a City computer to log in to her former workstation—with still-active credentials—where she proceeded to download the PHI of 498 individuals onto a portable USB drive. Upon investigation, OCR also determined that the former employee had shared her login credentials with a City intern who used the credentials to access PHI on the City’s network.

The settlement value, $202,400, reflects the number of patients affected, the type of data that was compromised, and the City’s failure to conduct appropriate risk analyses and implement termination procedures to protect access to the PHI on its network. 

How Frier Levitt Can Help

OCR’s settlement with the City of New Haven demonstrates the necessity for organizations to enforce adequate termination procedures and conduct regular risk analyses to identify and correct vulnerabilities. Contact Frier Levitt for assistance with both preventing and responding to a variety of HIPAA breaches and violations, including through the development of comprehensive HIPAA compliance manuals and the preparation of appropriate risk analyses.