The resolution agreement between OCR and PSMC notes that the medical center failed to de-activate the former employee's username and password following termination of employment.

In addition, PSMC impermissibly disclosed the PHI of at least 557 individuals to Google, its business associate, without obtaining satisfactory assurances from Google in the form of a written business associate agreement stating that Google would appropriately safeguard the PHI.

"It's common sense that former employees should immediately lose access to protected patient information upon their separation from employment," said OCR Director Roger Severino in the statement. "This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn't." https://www.careersinfosecurity.com/hipaa-case-hospital-fined-for-ex-employees-access-to-phi-a-11836