On April 29, 2012, the HHS Office of Civil Rights (OCR)
announced that it entered into a settlement agreement with Phoenix
Cardiac Surgery, P.C. (PCS), a private physician practice providing
cardiothoracic surgery services in Arizona. As part of the
settlement, PCS agreed to pay $100,000 to resolve the matter and
enter into a Corrective Action Plan that will remain in effect for
OCR began its investigation of PCS on February 19, 2009. While
it is not abundantly clear, it appears from the Resolution
Agreement that the investigation arose out of two complaints
against PCS. As a direct result of the investigation, OCR found the
following violations, among others: (1) PCS failed to provide and
document the training of each workforce member for 6 years; (2) PCS
posted over 1,000 separate entries of ePHI on a publicly accessible
internet-based calendar over a 2 year period; and (3) PCS
transmitted ePHI from an internet-based email account to workforce
members' personal internet-based email accounts on a daily
basis. With respect to violations (2) and (3), OCR found that PCS
failed to obtain satisfactory assurances by entering into business
associates agreements with each of the companies that provided the
internet-based calendar and the internet-based public email.
With its release of the Guide to Privacy and Security of Health
Information on May 9, 2012, the Office of the National Coordinator
(ONC), another division of HHS, demonstrates that HHS is getting
more serious about privacy and security enforcement. The target
audience for this Guide is medical practices, with ONC noting that
compliance with the HIPAA Privacy and Security Rules is a core
requirement of the CMS Meaningful Use incentive program.
Medical practices need to take this opportunity now to evaluate
their compliance with the HIPAA Privacy and Security Rules. In its
action against PCS, OCR made clear that if protected health
information is shared through electronic means, satisfactory
assurances are required. This means that, if an office uses e-mail,
text messages, or other similar options to communicate with its
patients or amongst each other, office management must ensure that
proper business associate agreements are in place.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Whether you are an employer that provides health insurance for your employees, a business in the growing healthcare industry, a hospital, or other medical provider—or you provide services to any of those entities—you need to know about changes to the privacy and security rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Marilyn Tavenner received bipartisan support from members of the Senate Committee on Finance in her confirmation hearing to lead the Centers for Medicare and Medicaid Services (CMS) though a full Senate vote is being held up, the president released his FY 2014 budget proposal with health care reform and specified reimbursement reductions to providers and manufacturers totaling $400 billion over 10 years sprinkled throughout it, and Department of Health and Human Services (HHS) Secretary Sebelius
The Office of Inspector General for the Department of Health and Human Services has recently issued an updated Special Advisory Bulletin on the Effect of Exclusion from Participation in Federal Health Care Programs.
On Tuesday, the North Carolina legislature has enacted into law, pending the governor's signature, a prohibition on the use of most favored nations clauses in contracts between commercial health insurers and providers.