The U.S. Department of Health and Human Services (HHS) has entered into another settlement for the violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), this time with a small physician practice that violated HIPAA while using Internet-based calendar and email services.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay HHS a $100,000 settlement after it was reported that the physician practice violated HIPAA by posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. The HHS Office for Civil Rights’ (OCR) investigation also revealed that Phoenix Cardiac Surgery violated HIPAA by emailing patient information from an Internet-based email account to workforce members’ Internet-based email accounts.
The OCR investigation also revealed the following issues:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to patients’ electronic protected health information (ePHI).
Leon Rodriguez, director of OCR, said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules. We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
This settlement highlights the need for all providers, regardless of their size, to understand the implications of the technology they use in their practices, to implement policies and procedures for HIPAA compliance, and to obtain business associate agreements where needed.
A press release and more information can be found on HHS’s website.