$100k - HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

[Guest guest]

Interesting. Locke, MD==================

Here is the full Gov't side of the story...

http://www.hhs.gov/news/press/2012pres/04/20120417a.html

News Release

FOR IMMEDIATE RELEASEApril 17, 2012

Contact: HHS Press Office

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA safeguards

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.   On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). 

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,†said Leon , director of OCR.  “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.â€

OCR’s investigation also revealed the following issues:

Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information; 

Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and

Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html.

The HHS Resolution Agreement can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

Additional information about OCR’s enforcement activities can be found athttp://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

===============

Here is their website...

http://www.phoenixcardiacsurgery.com/

What's with the Turkey Roasting photo? ;-)

====================================

http://www.informationweek.com/news/healthcare/security-privacy/232900727

According to the HHS resolution agreement, from July 2007 until February 2009, Phoenix Cardiac Surgery posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar, and from September 2005 until November 2009, the physician practice daily transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts.

In a related story, last month HHS announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 million to settle potential HIPPA violations that involved the theft of 57 unencrypted computer hard drives that contained the protected health information of over 1 million individuals.

======================================

Online Calendar Mistakes Cost Doctors Group $100000‎

InformationWeek - 4 hours ago

HHS penalizes Phoenix Cardiac Surgery for violating HIPAA privacy ... By InformationWeek Phoenix Cardiac Surgery has agreed to pay the US ...

The rising cost of HIPAA violations: $100000 fine levied on ...‎ Lexology (registration)

all 2 news articles »

HHS settles case with Phoenix Cardiac Surgery for lack of HIPAA ...

‎

MarketWatch (press release) - 6 days ago

WASHINGTON, Apr 17, 2012 (BUSINESS WIRE) -- Phoenix Cardiac Surgery, PC, of Phoenix and Prescott, Arizona, has agreed to pay the US Department of Health and ...

Phoenix Cardiac Surgery Group Pays $100K in HIPAA Violation Settlement‎ Becker's Hospital Review

Cardiology Practice to Pay $100000 to Settle Allegations of HIPAA ...‎ Bloomberg BNA

Cardiologists fined $100000 for Internet privacy violations‎ AZ Central.com

iHealthBeat - Linex Legal (press release) (registration) 

all 18 news articles »

Arizona Cardiac Surgeons Pay $100000 To Settle HIPAA Violations

‎

Forbes - 4 days ago

According to the Health and Human Services Office for Civil Rights (OCR), the investigation of Phoenix Cardiac Surgery, PC, which is owned by two cardiac ...

LLP | Small Cardiology Practice to Pay $100000 to ...‎ Linex Legal (press release) (registration)

all 6 news articles »

Senate begins budget 'markup' - Sign of a damaged Congress - ACA ...‎

Politico - 5 days ago

HHS WINS CASE AGAINST PHYSICIAN PRACTICE FOR HIPAA VIOLATION – Phoenix Cardiac Surgery in Arizona agreed Tuesday to pay HHS $100000, after an agency ...