HHS cracks down on physicians' practice for HIPAA violation
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Ariz. has agreed to pay the Department of Health and Human Services a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
The settlement with the physician practice follows an investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
[See also: Compliance efforts to increase in 2012]
The incident giving rise to OCR’s investigation, according to an HHS news release, was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. While investigating the report, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA rules, and it had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules,” said Leon Rodriguez, director of OCR. “We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
OCR's investigation revealed the following issues with Phoenix Cardiac Surgery:
• failed to implement adequate policies and procedures to appropriately safeguard patient information;
• failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• failed to identify a security official and conduct a risk analysis; and
• failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
Besides the $100,000 settlement payment, OCR is requiring Phoenix Cardiac Surgery to implement a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the HIPAA Privacy and Security Rules.
The HHS Resolution Agreement can be found here.