In December 2018, Pagosa Springs Medical Center settled potential Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rule violations and entered into a corrective action plan with the Office for Civil Rights (OCR) at the U.S. Department of Health & Human Services. The incident involved a former employee who continued to have remote access to Pagosa Springs Medical Center’s web-based scheduling calendar for two months after the employee’s termination, which resulted in 557 individuals’ electronic protected health information (ePHI) being improperly disclosed. Additionally, there was no business associate agreement between Pagosa Springs Medical Center and Google, the web-based scheduling calendar vendor. Pagosa Springs Medical Center, an 11-bed critical access hospital located in rural Colorado, paid $111,400 and entered into a two-year corrective action plan. The corrective action plan includes updates to Pagosa Springs Medical Center’s HIPAA security management, business associate agreement, and policies and procedures, as well as training its workforce in these areas.
