April 18, 2012
The Office for Civil Rights (OCR) of the Department of Health and Human
Services (HHS) has just sent another strong signal to healthcare providers and
plans that it intends to enforce the Health Insurance Portability and
Accountability Act (HIPAA) Privacy and Security Rules aggressively, and that it
does not intend to give a pass to small healthcare providers or practices. On
April 17, 2012, HHS announced that it had entered into a $100,000 settlement and
executed a resolution agreement with Phoenix Cardiac Surgery, P.C., a physician
practice with offices in Phoenix and Prescott, Arizona.
The settlement, as announced by HHS, marks the conclusion of an in-depth
investigation by the OCR into the privacy and security practices of Phoenix
Cardiac Surgery. The investigation was triggered by a report that Phoenix
Cardiac Surgery was posting clinical and surgical appointments for its patients
on an Internet-based calendar that was publicly accessible. However, the OCR
investigation soon expanded into a full review of the entity’s HIPAA compliance.
This resulted in a series of findings, including the following:
- The practice failed to implement adequate policies and procedures to
safeguard protected health information (PHI) appropriately.
- The practice failed to document that it had trained its employees
regarding its privacy and security policies and procedures.
- The practice failed to appoint a security official and to conduct a risk
assessment. (The Security Rule mandates that covered entities appoint a
security official and conduct an assessment of the potential risks and
vulnerabilities to the confidentiality, availability and integrity of the
electronic PHI (ePHI) held by the covered entity.)
- The practice failed to obtain business associate agreements with
Internet-based email and calendar services where the provision of the
service included storage of and access to its ePHI.
The OCR also found that, on a daily basis, over a period of four years,
Phoenix Cardiac Surgery had transmitted ePHI from an Internet-based email
account to the personal Internet-based email accounts of workforce members,
underscoring the risks posed to practices by the unregulated or unsupervised use
of email for the transmission of ePHI.
Although Phoenix Cardiac Surgery is a small, non-institutional provider,
i.e., a physician practice with just two owners, the OCR did not relieve the
practice of its obligation to comply with the basic requirements of HIPAA.
Instead, the OCR required the practice to pay $100,000 to settle the claims
against it and to enter into a one-year corrective action plan (CAP). Pursuant
to the terms of the CAP, the practice must develop policies and procedures that
comply with the HIPAA Privacy and Security Rules, send them to OCR for approval
and fully implement them within 30 days of OCR’s approval. The CAP also requires
the practice to obtain a signed statement from every workforce member that he or
she has read, understands and will abide by the policies and procedures. The CAP
requires the practice to train all workforce members who use or disclose PHI
regarding the policies and procedures within 60 days of OCR’s approval of the
policies. During the term of the CAP, any violation of the policies and
procedures must be reported to OCR, together with steps the practice intends to
take to mitigate any harm and prevent recurrence.
In announcing the settlement, Leon Rodriquez, director of OCR, strongly
cautioned the provider community not to disregard HIPAA:
This case is significant because it highlights a multi-year, continuing
failure on the part of this provider to comply with the requirements of the
Privacy and Security Rules .... We hope that health care providers pay
careful attention to this resolution agreement and understand that the HIPAA
Privacy and Security Rules have been in place for many years, and OCR
expects full compliance no matter the size of a covered entity.
The resolution agreement, which includes the OCR’s findings and the details
of the CAP, may be found
here.
If you have any questions regarding this article or HIPAA compliance more
generally, you may contact
Kim Kannensohn at 312.750.8649.