A Colorado hospital has agreed to pay $111,400 to the Office for Civil Rights (OCR) at the US Dept of Health and Human Services (HHS) and to adopt a substantial two-year corrective action plan to settle potential HIPAA violations after a former employee allegedly continued to have remote access to the hospital’s web-based scheduling calendar. Additionally, the investigation revealed that the hospital did not have a business associate agreement in place with the web-based scheduling system vendor, which also received access to the 557 patient records in question. A link to the press release is below: