Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches, Health Privacy/HIPAA

HIPAA Violations Cost Phoenix Cardiac Surgery Group $100,000 after OCR Investigation

On April 17th, Phoenix Cardiac Surgery, P.C. agreed to pay a $100,000 fine and put in place a corrective action plan under a resolution agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) following an extensive investigation into the health care provider’s HIPAA privacy and security practices.  The investigation was triggered by a complaint filed with HHS alleging that the physician group was posting clinical and surgical appointments on an internet-based calendar that was publicly available.  The investigation was significant in part due to its scope, as OCR examined the group’s privacy practices going back to 2003 and found them wanting. 

The agency investigated the complaint at hand and found that the physician group did not have adequate safeguards and failed to put in place business associate contracts with internet-based e-mail and calendar service providers that were storing and transmitting patient information.  OCR, however, went further and examined the group’s privacy and security practices dating back to 2003.  The agency found that the physician group did not implement adequate policies and procedures, document employee training on the Privacy and Security Rules, identify a security officer, or conduct the requisite risk analysis.  OCR Director Leon Rodriquez stated that “this case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.”  He further asserted that “we hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” 

The resolution agreement makes clear that vendors that store and transmit patient information, including providers of internet-based e-mail and calendar services, are business associates and require HIPAA business associate agreements.  In addition, the case serves as a reminder that policies and procedures, risk assessments, documentation and training are key elements of a HIPAA compliance program.  The resolution agreement can be read here.  

Just last month, OCR announced a $1,500,000 settlement with Blue Cross Blue Shield of Tennessee (BCBST) for potential violations of the HIPAA Privacy and Security Rules.  Recent enforcement actions suggest a heightened willingness by OCR to sanction covered entities for HIPAA violations.