• Home
  • Blog
  • Contact
HIPAA ComplianceHIPAA Compliance
HIPAA ComplianceHIPAA Compliance
  • Home
  • Blog
  • Contact

OCR Penalizes Physician Practice for HIPAA Privacy and Security Rule Violations

April 18, 2012 American Recovery and Reinvestment Act, Enforcement, HIPAA Law, Privacy, Security No Comments

April 18, 2012.  Late last week, the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS) executed a Resolution Agreement and included Corrective Action Plan (Appendix A) as a settlement for violations of HIPAA Privacy and Security Rules by a physician practice, Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ.

In its April 17, 2012, News Release, HHS stated:

“The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“‘This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,’ said Leon Rodriguez, director of OCR. ‘We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.’

“OCR’s investigation [of Phoenix Cardiac Surgery] also revealed the following issues:

  • Failed to implement adequate polices and procedures to appropriately safeguard patient information;
  • Failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Failed to identify a security official and conduct a risk analysis; and
  • Failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

“Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and [to] a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.”

HIPAA.com recommends that the reader review the Corrective Action Plan, especially sections V. (Corrective Action Obligations:  A.  Policies and Procedures; B.  Distribution and Updating of Policies and Procedures; C.  Minimum Content of the Policies and Procedures; D. Training; and E. Reportable Events) on pages 7-10; VI. (Implementation Report) on pages 10-11; and VIII. (Breach Provisions:  D.  Imposition of CMP (civil money penalty) [“for any violations of the Privacy and Security Rules related to the Covered Conduct set forth in paragraph 2 of the Agreement and for any other act or failure to act that constitutes a violation of the Privacy or Security Rules”]) on page 12.  As we have mentioned frequently in earlier posts, covered entities–and business associates after publication of the Final Rules in the Federal Register–will find it less onerous, costly, and time consuming now to conduct a risk analysis, implement policies and procedures for safeguarding protected health information, and train workforce members than under constraints of a possible Corrective Action Plan after discovery of HIPAA Privacy or Security Rule violations from a compliance audit, complaint investigation, or breach.

Tags: Appendix Abreachbusiness associate agreementcivil money penaltycomplaint investigationcompliancecompliance auditCorrective Action Plancovered conductcovered entitycupDEPARTMENT OF HEALTH AND HUMAN SERVICESdiscoveryelectronic protected health informationePHIHHSHIPAA PRIVACY RULEHIPAA Security RuleLeon Rodrigueznews releaseOCROCR investigationOffice for Civil Rightspatient informationPhoenix AZPhoenix Cardiac Surgeryphysician practicepolicies and proceduresPrescott AZreportable eventsResolution AgreementRisk AnalysissafeguardsSecurity Officialsettlementviolationsworkforce member
No Comments
Share
0

You also might be interested in

The Definition of State

May 11, 2009

This posting is one of several that outline the HITECH[...]

HIPAA Final Rule: Covered Entities–Permitted Uses and Disclosures & Required Disclosures

Mar 4, 2013

March 4, 2013.  Today, we start going through the HIPAA[...]

Privacy and Security Framework: Safeguards Principle and FAQs

Jan 19, 2009

U.S. Department of Health and Human Services, Office for Civil[...]

Leave a Reply Cancel Reply

Categories

  • 5010
  • American Recovery and Reinvestment Act
  • Enforcement
  • GINA
  • Health Care Reform
  • Health IT and HITECH
  • HIPAA Law
  • Identifiers
  • Meaningful Use
  • Privacy
  • Red Flags Rules
  • Security
  • Transactions & Code Sets
  • Uncategorized

Recent Posts

  • Contracting with Vendors that are NOT HIPAA Business Associates: Best Practices
  • HIPAA Breach: Who You Gonna Call?
  • Can I Be Sued for a HIPAA Violation?
  • Business Associate Agreements – a First Look at Indemnification
  • Gmail, Google Apps for Business HIPAA Business Associate Agreements

Archives

Contact Us

We're currently offline. Send us an email and we'll get back to you, asap.

Send Message
HIPAA- Health Insurance Portability Accountability Act

© 2023 · hipaa.com

Prev Next