If your company needs another reminder that policies and
procedures, risk assessments, documentation and training are
critical elements for HIPAA compliance programs, we have another
corrective action plan – and monetary fine –
that should be utilized as a "teachable moment" for
health care providers and business associates alike.
Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine
and implement a corrective action plan under a Resolution Agreement with the U.S. Department
of Health and Human Services (HHS) Office for Civil Rights (OCR)
after a lengthy investigation into potential violations of the
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy and Security Rules.
OCR investigated the physician practice following a report that
it had been posting clinical and surgical appointments on a
publicly accessible Internet-based calendar. OCR's
investigation, dating back to 2003, found that Phoenix Cardiac
Surgery had failed to implement sufficient policies and procedures
to appropriately safeguard patient information. OCR also concluded
that the physician practice did not adequately document employee
training on the Privacy and Security Rules, identify a security
official, conduct a risk analysis, or obtain satisfactory
assurances in business associate agreements with Internet-based
calendar and email providers. In a press release announcing the Phoenix Cardiac
Surgery settlement, OCR Director Leon Rodriquez expressed the
agency's hope that health care providers "pay careful
attention" to the Resolution Agreement and the expectation
that all providers, "no matter the size," fully comply
with the Privacy and Security Rules.
The Resolution Agreement has a clear warning for service
providers: Vendors of services that store and transmit patient
information, including the seemingly innocuous Web-based e-mail and
calendar services, are business associates and are required to
comply with the Privacy and Security Rules. It also serves as a
reminder to health care providers to ensure that business associate
agreements are in place for all these types of services.
The settlement reaffirms OCR's commitment to enforcing the
Privacy and Security Rules, and its willingness to sanction covered
entities for HIPAA violations. Just
last month, BlueCross BlueShield of Tennessee agreed to pay
$1.5 million to settle claims of non-compliance with the Privacy
and Security Rules.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
I strongly urge every covered entity and business associate faced with a Business Associate Agreement that includes indemnification provisions to read Michael Kline’s "List of Considerations" before signing.