Cardiac Surgery MD Group Agrees to Pay 0,000 Settlement to HHS for Lack of HIPAA safeguards
And the HIPAA money keeps rolling to the feds. The latest settlement (announced today) is with a cardiac surgery physician group in Phoenix, Arizona, which has agreed to pay a hefty sum after someone reported to HHS that the MD group was potentially compromising patients’ PHI by posting appointments on an internet-based calendar, which prompted OCR to then investigate and find the physicians to be out of compliance with HIPAA’s safeguards.
The following April 17, 2012 Press Release is HOT off the presses on HHS’ News Release website:
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.
The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).
This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.
The HHS Resolution Agreement can be found on HHS’ website here. OCR’s investigation revealed the following specific issues with this group’s HIPAA program:
- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. This last finding being a significant one, and underscores that HIPAA BA Agreements MUST be entered into with vendors who have access to ePHI to facilitate a service to covered entities!
With the HITECH Rules in OMB and due out by mid June (unless an extension is sought by OMB), it will be particularly interesting to see if the Final Rules address the HITECH Act’s requirement for percentages being paid out to individuals “damaged” by breaches of their information. The HITECH Act required rules on that topic to be out by this summer. Since an individual’s report to HHS triggered this particular investigation and subsequent settlement, some are suggesting that such percentage payouts to individuals for HIPAA violations could in effect become almost like a whistle-blower provision and incentivize patients and others to submit reports to HHS for potential investigation. I think that might be the point.
But for now, this case just underscores once again that the best way for physician practices (and other covered entities) to protect themselves is to have a fully robust HIPAA compliance program developed and implemented (see, for example, our comprehensive HIPAA-HITECH Helpbook on www.ohcsolutions.com). Don’t forget to also conduct a Security Gap Audit (see www.myhic.net, a leading company that specializes in and has thousands of hours of experience under its belt with competing Security Audits for Physician Practices, or contact them here). Finally, don’t forget to provide regular training to your employees. For live training sessions and video training options, visit our Workshops page.
