Cardiology Practice to Pay $100,000 to Settle Allegations of HIPAA Violations
A small cardiology practice in Phoenix has agreed to pay $100,000 to the federal government and implement a corrective action plan to settle allegations it violated Health Insurance Portability and Accountability Act Privacy and Security Rules.
The Department of Health and Human Services Office for Civil Rights launched an investigation of Phoenix Cardiac Surgery’s data privacy and security practices after receiving reports that the physician group posted patients’ protected health information (PHI) on a publicly available internet-based calendar, HHS said in an April 17 news release. Phoenix Cardiac Surgery is a covered entity under HIPAA.
Additional Violations Found
HHS said the investigation also found other HIPAA violations in addition to the posting of patients’ PHI online, according to details in a 12-page resolution agreement between OCR and Phoenix Cardiac Surgery released April 17.
Among the specific violations OCR said its investigation uncovered:
• From April 2003 until October 2009, the practice did not provide and document employee training on policies and procedures for handling PHI.
• From July 2003 until February 2009, the practice posted more than 1,000 separate entries of electronic PHI (ePHI) on a publicly accessible, internet-based calendar.
• From September 2005 until November 2009, the practice transmitted, daily, ePHI from an internet-based email account to workforce members’ personal email accounts.
• From September 2005 until November 2009, the practice failed to conduct a thorough analysis of the risk and vulnerabilities to ePHI.
No Business Associate Assurances
The settlement agreement also cited alleged failures by the covered entity to obtain “satisfactory assurances” in its business associate agreements that the internet-based calendar and email accounts used by the practice provided appropriate safeguards for ePHI.
“We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” –Leon Rodriguez, HHS Office for Civil Rights
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” OCR Director Leon Rodriguez said in the HHS release. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
As part of the correction action plan, Phoenix Cardiac Surgery agreed to implement policies and procedures to comply with the HIPAA Privacy and Security Rules, including:
- conducting risk and vulnerability assessments for ePHI,
- putting technical safeguards in place to protect ePHI, and
- providing workforce training on HIPAA privacy and security policies.
The resolution agreement is available HERE