City will pay $202K to settle potential violations of HIPAA Privacy and Security Rules

Washington —  The city of New Haven, Connecticut, has agreed to settle potential violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules after filing a breach report stating that a former employee may have accessed a file on a city computer containing the protected health information of nearly 500 people.

The city will pay $202,400 and implement a corrective action plan to settle the potential HIPPA violations, according to an Office of Civil Rights news release.

In January 2017, the New Haven Health Department filed a breach report, and the U.S. Department of Health and Human Services’ Office of Civil Rights learned that on July 27, 2016, a former employee returned to the health department, eight days after being terminated. The former employee logged into her old computer with her still-active user name and password and downloaded protected health information that included patient names, addresses, dates of birth, race/ethnicity, gender and sexually transmitted disease test results onto a USB drive.

In addition, the Office of Civil Rights found that the former employee shared her user ID and password with an intern, who continued to use these login credentials to access protected health information on New Haven’s network after the employee was terminated.

The investigation determined that New Haven failed to conduct an enterprise-wide risk analysis and failed to implement termination procedures, access controls such as unique user identification and HIPAA Privacy Rule policies and procedures.

“Medical providers need to know who in their organization can access patient data at all times,” said Office of Civil Rights Director Roger Severino in the news release. “When someone’s employment ends, so must their access to patient records.”