HIPAA Enforcement - No Physician Office Too Small
May 1, 2012
Tiny Cardiology Practice to Pay $100,000
Once again, the Office of Civil Rights (“OCR”) has bared its teeth and shown that no practice group is too small for enforcement action. Phoenix Cardiac Surgery, P.C. (“PCS”) learned the hard way on April 17, 2012, when OCR announced a settlement and Corrective Action Plan (the “Plan”) against the two-physician practice. To date, almost all OCR enforcement actions have been against large insurers and major hospital systems, not community hospitals or small physician practice groups. The settlement was unusual in many ways.
The nature of the alleged violation was a systemic, multi-year failure to adopt and implement appropriate HIPAA safeguards. The settlement amount of $100,000 was miniscule. The violation has yet to appear on OCR’s “Wall of Shame,” indicating that there is a possibility that the breach involved fewer than 500 individuals.
OCR’s investigation of PCS followed a report that PCS was posting surgical and clinical appointments for its patients on a publicly accessible Internet-based calendar. OCR also discovered the following issues:
- PCS failed to implement adequate policies and procedures to appropriately safeguard patient information;
- PCS failed to provide and document training of its employees on its policies and procedures relative to the HIPAA Privacy and Security Rules;
- PCS transmitted ePHI daily from an Internet-based email account to workforce members’ personal Internet-based email accounts;
- PCS failed to name a security officer and to conduct a risk analysis; and
- PCS failed to obtain business associate agreements with Internet-based email and calendar providers who stored and offered access to its ePHI.
Please click the link below to read the full text of the article.