If your company needs another reminder that policies and
procedures, risk assessments, documentation and training are
critical elements for HIPAA compliance programs, we have another
corrective action plan – and monetary fine –
that should be utilized as a "teachable moment" for
health care providers and business associates alike.
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine
and implement a corrective action plan under a Resolution Agreement with the U.S. Department
of Health and Human Services (HHS) Office for Civil Rights (OCR)
after a lengthy investigation into potential violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy and Security Rules.
OCR investigated the physician practice following a report that
it had been posting clinical and surgical appointments on a
publicly accessible Internet-based calendar. OCR's
investigation, dating back to 2003, found that Phoenix Cardiac
Surgery had failed to implement sufficient policies and procedures
to appropriately safeguard patient information. OCR also concluded
that the physician practice did not adequately document employee
training on the Privacy and Security Rules, identify a security
official, conduct a risk analysis, or obtain satisfactory
assurances in business associate agreements with Internet-based
calendar and email providers. In a press release announcing the Phoenix Cardiac
Surgery settlement, OCR Director Leon Rodriquez expressed the
agency's hope that health care providers "pay careful
attention" to the Resolution Agreement and the expectation
that all providers, "no matter the size," fully comply
with the Privacy and Security Rules.
The Resolution Agreement has a clear warning for service
providers: Vendors of services that store and transmit patient
information, including the seemingly innocuous Web-based e-mail and
calendar services, are business associates and are required to
comply with the Privacy and Security Rules. It also serves as a
reminder to health care providers to ensure that business associate
agreements are in place for all these types of services.
The settlement reaffirms OCR's commitment to enforcing the
Privacy and Security Rules, and its willingness to sanction covered
entities for HIPAA violations. Just
last month, BlueCross BlueShield of Tennessee agreed to pay
$1.5 million to settle claims of non-compliance with the Privacy
and Security Rules.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
On Friday, November 13, Federal Trade Commission ("FTC" or the "Commission") Chief Administrative Law Judge ("ALJ") D. Michael Chappell issued an Initial Decision in In the Matter of LabMD, Inc. (FTC Docket No. 9357), dismissing the Commission's Complaint against LabMD, Inc. ("LabMD"), upon a finding that the FTC had failed to "demonstrate a likelihood that [LabMD's] computer network will be breached in the future and cause substantial computer injury."
Whether you are in-house counsel or external counsel, upon first hearing of a massive data breach affecting your client, your first reaction will likely be at least a twinge of panic. So first, take a deep breath and calm down.
Anthony Albanese, the head of the New York Department of Financial Services, issued a letter to more than 20 federal and state regulators outlining proposed cybersecurity regulations for banks and insurance companies operating in New York.
High-profile data breaches seem to hit the headlines almost every day. These breaches have proved terrifying for many companies, particularly as the attackers release embarrassing emails and other information.