P>On April 17, 2012, the U.S. Department of Health & Human Services Office of Civil Rights ("OCR") announced that Phoenix Cardiac Surgery, P.C. ("Phoenix"), a five-physician Arizona cardiology practice, has entered a resolution agreement related to allegations that it violated the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This is the first such resolution agreement between the OCR and a physician practice. Under the terms of the resolution agreement, Phoenix has agreed to pay the government $100,000 and implement a corrective action plan requiring the practice to develop policies and take other steps to correct the alleged violations.
The HIPAA violations covered under the resolution agreement were identified as part of a 2009 OCR investigation triggered by a complaint that Phoenix had impermissibly disclosed electronic protected health information ("ePHI") by posting patient appointment information on an Internet-based calendar that was publicly available and include allegations that Phoenix:
- Did not provide and document training of workforce members on HIPAA policies and procedures;
- Posted ePHI on a publicly accessible, Internet-based calendar;
- Transmitted ePHI on a daily basis from an Internet-based e-mail account to workforce members' personal e-mail accounts;
- Failed to identify a HIPAA security officer;
- Failed to conduct an assessment of risks to ePHI; and
- Failed to obtain business associate agreements with the Internet-based calendar and e-mail providers.
A copy of the settlement agreement and corrective action plan can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf
According to Leon Rodriguez, director of the OCR, this resolution is evidence that the OCR expects full compliance with HIPAA requirements regardless of the size of a covered entity.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.