If your company needs another reminder that policies and
procedures, risk assessments, documentation and training are
critical elements for HIPAA compliance programs, we have another
corrective action plan – and monetary fine –
that should be utilized as a "teachable moment" for
health care providers and business associates alike.
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine
and implement a corrective action plan under a Resolution Agreement with the U.S. Department
of Health and Human Services (HHS) Office for Civil Rights (OCR)
after a lengthy investigation into potential violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy and Security Rules.
OCR investigated the physician practice following a report that
it had been posting clinical and surgical appointments on a
publicly accessible Internet-based calendar. OCR's
investigation, dating back to 2003, found that Phoenix Cardiac
Surgery had failed to implement sufficient policies and procedures
to appropriately safeguard patient information. OCR also concluded
that the physician practice did not adequately document employee
training on the Privacy and Security Rules, identify a security
official, conduct a risk analysis, or obtain satisfactory
assurances in business associate agreements with Internet-based
calendar and email providers. In a press release announcing the Phoenix Cardiac
Surgery settlement, OCR Director Leon Rodriquez expressed the
agency's hope that health care providers "pay careful
attention" to the Resolution Agreement and the expectation
that all providers, "no matter the size," fully comply
with the Privacy and Security Rules.
The Resolution Agreement has a clear warning for service
providers: Vendors of services that store and transmit patient
information, including the seemingly innocuous Web-based e-mail and
calendar services, are business associates and are required to
comply with the Privacy and Security Rules. It also serves as a
reminder to health care providers to ensure that business associate
agreements are in place for all these types of services.
The settlement reaffirms OCR's commitment to enforcing the
Privacy and Security Rules, and its willingness to sanction covered
entities for HIPAA violations. Just
last month, BlueCross BlueShield of Tennessee agreed to pay
$1.5 million to settle claims of non-compliance with the Privacy
and Security Rules.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In last year's BakerHostetler Incident Response Report, we reported the range of PCI DSS non-compliance fines as $5,000 – $50,000 and the per card amount of liability imposed to reimburse issuers of affected cards as $3-$25.
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
The Payment Card Industry Security Standards Council (PCI SSC) has released a new version of its data security standard for the protection of cardholder data, the Payment Card Industry Data Security Standard (PCI DSS).
The idea of cybersecurity may be foreign—or even frightening—to many attorneys. However, as evidenced in Part One of this series ("Cybersecurity: You Can't Afford to Ignore It Anymore," April 25) law firms appear to be the next great target for hackers. In light of that, as a risk management prevention tool, attorneys and firms need to be aware of how to protect themselves.
The academic and legal communities have long struggled with the notion of what constitutes a privacy injury giving rise to some right to legal protection – whether via legislation or regulation, or through the courts.
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).