A small physician cardiac surgery practice in Arizona, Phoenix Cardiac Surgery, recently agreed to pay $100,000 in a settlement with HHS. As a part of the settlement the group has agreed to take corrective action to implement policies and procedures to protect the protected health information of its patients.
According to the HHS Office for Civil Rights, which handles complaints and investigations of violations of federal Health Insurance Portability and Accountability Act of 1996 and HIPAA's Privacy and Security Rules, the group did not have adequate policies and procedures to comply with the HIPAA Privacy and Security Rules and had "limited safeguards in place to protect patients' electronic protected health information." As the director of OCR explained, "OCR expects full compliance no matter the size of a covered entity."
The investigation began when OCR received a report that the surgery group was posting its clinical and surgical appointments on an internet-based calendar that was available to the public. As a result of that report, OCR conducted an extensive investigation and found significant non-compliance with HIPAA requirements.
OCR listed a number of specific problems:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic Protected Health Information.
As the Director of OCR explained, "This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,"…"we hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity."
2. HIPAA compliance is not limited to large health facilities. Even the smallest physician practice is responsible for compliance with HIPAA requirements, and HHS will not base enforcement activities on the size of the practice.
3. Every provider, physician practice, hospital, health facility, nursing home, home health agency, physical therapy practice and other entity that has access to protected health information must understand, be familiar with and must comply with the HIPAA Privacy and Security Rules.
4. Moreover, depending on the state, providers must comply with state law as well. This is particularly significant in California where state law is more stringent than federal law in certain respects.
5. Token compliance with HIPAA is not enough. It is not enough to reprint canned policies and procedures; the provider must train staff, conduct risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI held by the provider. Practices must appoint a privacy and security officer and ensure that it has reviewed its entire operation for compliance with the Privacy and Security Rules and understand its technology to determine if and under what circumstances PHI can be accessed on its systems.
6. Documentation of HIPAA policies and procedures and training is essential, as are disclosure logs, investigations and disciplinary actions.
7. It is essential to have signed business associate agreements with any person or entity who is not a member of the workforce yet who handles or has access to PHI or who receives, stores, maintains or transmits PHI, including electronic PHI. This includes calendaring and public email providers who have access to PHI, to ensure that they will adequately protect PHI. Those agreements must be reviewed and updated on a regular basis to ensure compliance with HIPAA.
8. Be careful about public postings; ease of access is not always consistent with HIPAA privacy and security requirements.
9. Patients are becoming more informed and concerned about privacy rights and about who has access to their health information. The government takes those complaints seriously.
10. Be careful as to the sources of information. Make sure you have firewalls and encryption and are not using publicly accessible forums. Be careful about tweeting and email protected health information. Communications with patients, refills, appointments should not be discussed on a general email system.
Carol Scott has more than three decades of experience in healthcare law with her practice focusing on regulatory compliance for a broad range of healthcare providers, including long-term care facilities, behavioral health facilities and other healthcare-related entities and individuals. She regularly advises for-profit and non-profit healthcare organizations and practitioners on certification and licensing issues, as well as on implementation of compliance plans regarding HIPAA, reimbursement, fraud, abuse and all aspects of their operations. She can be reached at cscott@fentonnelson.com.
Phoenix Cardiac Surgery Group Pays $100K Settlement for HIPAA Violation
According to the HHS Office for Civil Rights, which handles complaints and investigations of violations of federal Health Insurance Portability and Accountability Act of 1996 and HIPAA's Privacy and Security Rules, the group did not have adequate policies and procedures to comply with the HIPAA Privacy and Security Rules and had "limited safeguards in place to protect patients' electronic protected health information." As the director of OCR explained, "OCR expects full compliance no matter the size of a covered entity."
The investigation began when OCR received a report that the surgery group was posting its clinical and surgical appointments on an internet-based calendar that was available to the public. As a result of that report, OCR conducted an extensive investigation and found significant non-compliance with HIPAA requirements.
OCR listed a number of specific problems:
• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic Protected Health Information.
As the Director of OCR explained, "This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,"…"we hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity."
What does this case mean for your practice?
1. This case does not add any new requirements but does demonstrate that the federal government will enforce HIPAA compliance regardless of the size of the practice.2. HIPAA compliance is not limited to large health facilities. Even the smallest physician practice is responsible for compliance with HIPAA requirements, and HHS will not base enforcement activities on the size of the practice.
3. Every provider, physician practice, hospital, health facility, nursing home, home health agency, physical therapy practice and other entity that has access to protected health information must understand, be familiar with and must comply with the HIPAA Privacy and Security Rules.
4. Moreover, depending on the state, providers must comply with state law as well. This is particularly significant in California where state law is more stringent than federal law in certain respects.
5. Token compliance with HIPAA is not enough. It is not enough to reprint canned policies and procedures; the provider must train staff, conduct risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI held by the provider. Practices must appoint a privacy and security officer and ensure that it has reviewed its entire operation for compliance with the Privacy and Security Rules and understand its technology to determine if and under what circumstances PHI can be accessed on its systems.
6. Documentation of HIPAA policies and procedures and training is essential, as are disclosure logs, investigations and disciplinary actions.
7. It is essential to have signed business associate agreements with any person or entity who is not a member of the workforce yet who handles or has access to PHI or who receives, stores, maintains or transmits PHI, including electronic PHI. This includes calendaring and public email providers who have access to PHI, to ensure that they will adequately protect PHI. Those agreements must be reviewed and updated on a regular basis to ensure compliance with HIPAA.
8. Be careful about public postings; ease of access is not always consistent with HIPAA privacy and security requirements.
9. Patients are becoming more informed and concerned about privacy rights and about who has access to their health information. The government takes those complaints seriously.
10. Be careful as to the sources of information. Make sure you have firewalls and encryption and are not using publicly accessible forums. Be careful about tweeting and email protected health information. Communications with patients, refills, appointments should not be discussed on a general email system.
Carol Scott has more than three decades of experience in healthcare law with her practice focusing on regulatory compliance for a broad range of healthcare providers, including long-term care facilities, behavioral health facilities and other healthcare-related entities and individuals. She regularly advises for-profit and non-profit healthcare organizations and practitioners on certification and licensing issues, as well as on implementation of compliance plans regarding HIPAA, reimbursement, fraud, abuse and all aspects of their operations. She can be reached at cscott@fentonnelson.com.
More Articles on HIPAA:
10 Guidelines for Selecting Data Breach InsurancePhoenix Cardiac Surgery Group Pays $100K Settlement for HIPAA Violation