Do you know who has access to your PHI?

PAGOSA SPRINGS, CO – On December 11, 2018, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced a settlement with a critical access hospital in Colorado, Pagosa Springs Medical Center (“PSMC”). PSMC agreed to pay $111,400 to resolve alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

According to the settlement[1], the OCR alleged that from July to September of 2013, PSMC impermissibly disclosed the PHI of 557 individuals. The cause of the impermissible disclosures were attributable to two sources. First, the hospital failed to deactivate a former employee’s credentials to a web-based scheduling calendar. Additionally, through the course of the investigation, it was discovered that PSMC impermissibly disclosed the same PHI to Google. The parties lacked a business associates agreement (“BAA”) and Google was the contracted vendor providing the web-based scheduling software to PSMC[2].

This recent settlement is notable because it provides some important reminders when it comes to knowing who has access to your PHI.

Important Reminders

There are no small fish. PSMC is a critical access hospital (e.g., 25 beds or less) located in a rural part of Colorado. For smaller organizations, this settlement is a cautionary tale that no organization is too small for the OCR’s resources to investigate.

Security management extends after employment. In this case, PSMC failed to remove a former employee’s access after separation of employment. This settlement is a reminder that security management doesn’t end when the employment relationship ends.

Don’t rely on others to be mindful of your PHI. In the context of protecting your PHI, you need watch out for yourself and others. In this case, both parties failed to recognize the need for a BAA. To that end, don’t assume the other party will catch relationships requiring a BAA.

Tips for compliance

Policies and procedures. Review your policies including roles-based access, termination of access, and business associate agreements.

Termination-of-access audit. Conduct an audit of your procedures for termination-of-access. Pull a random sample of employees who have left the organization within the last 12-24 months to ensure your policies are being followed.

Workflow Gap Analysis. Conduct a gap analysis of your workflow processes related to granting and terminating access. Are there any communication gaps? Is communication required to HR and other appropriate personnel confirming access has been granted and terminated?

BAAs. Conduct an audit of your BAAs. Does your organization have BAA’s in place covering all relationships with vendors creating, receiving, maintaining, or transmitting your PHI? Do your BAA’s contain language according to the current regulatory requirements?

BAA procedures. Conduct an audit of your procedures for managing and executing BAAs.

  • Who is authorized to execute a BAA?

  • Where are they located?

  • Who is responsible for managing your BAAs?

  • Does your organization maintain a catalog of all BAAs?

  • Are there any communication gaps between those responsible for executing BAAs and those managing them?

  • Does your organization have a BAA policy and do your procedures follow your policies?

As with any OCR settlement, they provide helpful reminders to look internally at your operations. They also can become tools to educate your workforce members to prevent similar occurrences in your organization.


[1]See OCR Resolution Agreement for Pagosa Springs Medical Center,

[2]See OCR Press Release for Settlement with Pagosa Springs Medical Center,

About SunHawk Consulting:

SunHawk Consulting serves the needs of company Boards of Directors, internal/external legal counsel, company management and employees, special committees, bankruptcy trustees and receivers, and government agencies.

SunHawk Consulting maintains cost-effective pricing for every engagement, leverages clients' internal staff wherever possible, all while effectively providing the following services:


  • Evaluation and Design of Compliance Programs

  • External Review and Monitoring: CIAs and IROs

  • HIPPA: Privacy, Security, and Breach Assessments

  • Broad-Based Compliance Support: Training, Policy Drafting and More

  • Claims Analytics, Audit Services & Coding Education


  • Forensic Accounting & Investigations

  • Complex Litigation & Disputes

  • Bankruptcy and Receivership Services

  • Mergers and Acquisitions: Regulatory and Compliance Due Diligence

  • Provider Payment Modeling and Forecasting


  • Compliance, Internal audit, accounting, finance, and investigations staff

To Learn more please visit

#OCR #AuditProtocols #HIPAA #PHI #BAA #Compliance #SunHawkConsulting