When an employee is terminated, it is necessary to remove access to protected health information (PHI) immediately. It is just as important for employees not to share their log-in credentials with anyone. The City of New Haven, Connecticut found out the hard way. In January 2017 the New Haven Health Department filed a breach report stating that a terminated employee may have accessed a file on a New Haven computer that contained PHI (protected health information) of 498 individuals. During the OCR’s investigation they discovered the former employee had returned to the health department eight days after being terminated and logged into her old computer and downloaded patient information to a USB drive. They also uncovered that the former employee had shared her user credentials with an intern, who continued to use these credentials to access PHI.
As we have mentioned before, when you are under investigation, they review all of your compliance efforts and not just the incident that provoked the investigation. During this investigation, the OCR determined they failed to conduct a system wide risk analysis and failed to implement access controls and termination procedures.
“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.
This mistake cost the City of New Haven $202, 400 and they must implement a robust corrective action plan that includes two years of monitoring.
