Recently shared on the American Health Lawyers Association (AHLA) Practice Group listserv. I thought I would share this with you in an effort to remind you how important it is to ensure ongoing HIPAA education is to you to ensure you stay on the right side of regulations. Don’t just read this and think that you don’t publish information on the internet. Look at it from the standpoint, what can you do better to ensure your patients’ privacy and security rights are secure. Recently, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced in a press release that it has entered into a Resolution Agreement that requires Phoenix Cardiac Surgery PC, a small cardiology practice based in Phoenix and Prescott, AZ, to pay $100,000 to HHS and implement a Corrective Action Plan. The settlement with the physician practice follows an extensive investigation by OCR for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.
According to the press release, the incident that gave rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was accessible to the public. As part of its investigation, OCR concluded that the physician practice had implemented few policies and procedures to comply with HIPAA, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). OCR identified the following issues during its investigation: (1) the practice failed to implement adequate policies and procedures to appropriately safeguard patient information; (2) the practice failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules; (3) the practice failed to identify a security official and conduct a risk analysis; and (4) the practice failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
As part of the Corrective Action Plan, the physician practice agreed to develop a comprehensive set of HIPAA policies and procedures and to submit them to OCR for review and approval. After OCR has approved the policies and procedures, the practice is required to implement them and train all members of its workforce who use or disclose protected health information on their requirements. Additionally, the Corrective Action Plan states that the policies and procedures must include the following specific content: (1) a thorough assessment of the risks and vulnerabilities to ePHI; (2) a risk management plan to reduce any risks and vulnerabilities identified by the risk assessment; (3) the identification of a HIPAA Security Official; (4) satisfactory assurances that each business associate will safeguard ePHI pursuant to a contract that contains the HIPAA Privacy and Security Rule provisions required in business associate agreements; (5) technical safeguards that restrict access to ePHI; (6) technical measures to protect ePHI transmitted over an electronic communications network, including via text messaging; and (7) training, including security reminders and procedures for guarding against malicious software.
This settlement serves as an important reminder to physician practices to review compliance with the HIPAA Privacy and Security Rules.