top of page

A Health Clinic Exposed PHI to the Public by way of a Terminated Employee’s Access to PHI

The Office of Civil rights (OCR), has demanded over $200k from New Haven, Connecticut, because of violations of the Health Insurance Portability and Accountability Act (HIPAA). In January 2017, A former employee gained access to a file containing 498 individual’s Protected Health Information (PHI). The employee very simply logged back into her computer, logged into her old computer with her still-active user name and password and proceeded to download PHI to a USB drive. Information in these files included identifying personal data, including names, addresses, dates of birth, race/ethnicity, and patient’s gender. It also included results from sexually transmitted disease tests.

“Medical providers need to know who in their organization can access patient data at all times. When someone’s employment ends, so must their access to patient records,” said OCR Director Roger Severino.

In addition to the monetary penalty, New Haven will be required to complete a “robust” Corrective Action Plan (CAP) with at least two years of monitoring activity. They will also be required to do the following in only 90 days:

  1. Conduct a comprehensive and thorough Risk Analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by NHHD.

  2. Review and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy of individually identifiable health information. They have 30 days.

    • Privacy Rule policies and procedures with respect to PHI that are designed to comply with the standards, implementation specifications, or other requirements of the Privacy Rule.

    • Regarding terminating access to ePHI when the employment of, or other arrangement with, a workforce member ends

    • Regarding assigning a unique name and/or number for identifying and tracking user identity

3. Annual Training to all workforce members who have access to ePHI shall receive specific training on the policies and procedures

Stop this from happening in your organization!

As we have stressed before, it is important for you to understand that every complaint or potential breach must be investigated by HHS/OCR. If you, a billing company, or other vendor, suspects a breach you must inform the covered entity (your client) and have a breach risk assessment completed to determine key factors and take action.

What can I do to ensure this doesn’t happen to me or my organization?

At Live Compliance, we make checking off your compliance requirements extremely simple.

Reliable and Effective Compliance

  • Completely online, our role-based courses make training easy for remote or in-office employees.

  • Contact-free, accurate Security Risk Assessments are conducted remotely. All devices are thoroughly analyzed regardless of location.

  • Policies and Procedures curated to fit your organization ensuring employees are updated on all Workstation Use and Security Safeguards in the office, or out. Update in real time.

  • Electronic, prepared document sending and signing to employees and business associates.

Don’t risk your company’s future, especially when we are offering a free Organization Assessment to help determine your company’s status.

Call us at (980) 999-1585, or email me, Jim Johnson at or visit

bottom of page