If your company needs another reminder that policies and
procedures, risk assessments, documentation and training are
critical elements for HIPAA compliance programs, we have another
corrective action plan – and monetary fine –
that should be utilized as a "teachable moment" for
health care providers and business associates alike.
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine
and implement a corrective action plan under a Resolution Agreement with the U.S. Department
of Health and Human Services (HHS) Office for Civil Rights (OCR)
after a lengthy investigation into potential violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy and Security Rules.
OCR investigated the physician practice following a report that
it had been posting clinical and surgical appointments on a
publicly accessible Internet-based calendar. OCR's
investigation, dating back to 2003, found that Phoenix Cardiac
Surgery had failed to implement sufficient policies and procedures
to appropriately safeguard patient information. OCR also concluded
that the physician practice did not adequately document employee
training on the Privacy and Security Rules, identify a security
official, conduct a risk analysis, or obtain satisfactory
assurances in business associate agreements with Internet-based
calendar and email providers. In a press release announcing the Phoenix Cardiac
Surgery settlement, OCR Director Leon Rodriquez expressed the
agency's hope that health care providers "pay careful
attention" to the Resolution Agreement and the expectation
that all providers, "no matter the size," fully comply
with the Privacy and Security Rules.
The Resolution Agreement has a clear warning for service
providers: Vendors of services that store and transmit patient
information, including the seemingly innocuous Web-based e-mail and
calendar services, are business associates and are required to
comply with the Privacy and Security Rules. It also serves as a
reminder to health care providers to ensure that business associate
agreements are in place for all these types of services.
The settlement reaffirms OCR's commitment to enforcing the
Privacy and Security Rules, and its willingness to sanction covered
entities for HIPAA violations. Just
last month, BlueCross BlueShield of Tennessee agreed to pay
$1.5 million to settle claims of non-compliance with the Privacy
and Security Rules.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
One of the world’s most consumer protective spam laws recently went into effect in Canada on July 1, 2014, and many companies operating outside of Canada are learning that the law also impacts them because of how broadly it is drafted.
On July 23, 2014, the Massachusetts Attorney General announced a consent judgment with an out-of-state Rhode Island hospital, Women & Infants Hospital of Rhode Island ("WIH" or the "Hospital"), resolving a lawsuit against WIH for violations of federal and state information security and privacy laws involving the loss of over 12,000 Massachusetts residents’ sensitive patient health records
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Wearable devices, including health and activity monitors, video and audio recorders, location trackers, and other interconnected devices in the form of watches, wristbands, glasses, rings, bracelets, belts, gloves, earrings and shoes are being heavily promoted in the next wave of consumer electronics.