An Arizona cardiac surgery practice has agreed to pay $100,000 to settle allegations that it failed to comply with HIPAA privacy and security requirements. The HHS Office for Civil Rights (OCR), which enforces the HIPAA privacy and security rules, announced the settlement in a press release issued April 17, and available here. The practice also agreed to a corrective action plan. It did not admit any liability.
This investigation should catch the attention of small providers who have not made a priority of HIPAA compliance. The target of this investigation was a small medical group, and the penalty – not to mention the likely costs of the investigation – was substantial. In announcing the settlement, OCR said, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The practice evidently came to OCR’s attention through a report that it was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. HHS says that its investigation revealed ongoing deficiencies:
- Failure to provide and document workforce training.
- Failure to implement appropriate security safeguards; in particular– posting electronic health information on a publicly accessible, Internet-based calendar; transmitting health information from an Internet-based email account to workforce members’ personal Internet-based email accounts;
- Failure to identify a security official;
- Failure to conduct a proper security risk assessment;
- Failure to obtain the required business associate agreements from the provider of its Internet-based email account and calendar.
The one-year corrective action plan requires the practice to adopt and maintain policies and procedures to address the alleged deficiencies. The policies and procedures must be submitted to OCR for approval, and the practice must address changes recommended by OCR. The practice must distribute the policies and procedures to all affected members of its workforce, and to new hires, and must obtain a signed compliance certification from workforce members. The practice must review and, if necessary, revise its policies and procedures at least annually. The practice must also train its workforce in the policies and procedures, and obtain certifications from them that they have received the training. The practice must review and update its training annually.
Finally, the practice must report breaches of its policies and procedures to OCR.
OCR’s expectation that providers should be in full compliance with the Security Rule – which went into effect seven years ago – is not surprising. Like the settlement that OCR announced last month , this one highlights the need to treat security compliance as a continuous process involving regular assessments of the security environment, review of policies and procedures, and workforce training.
Hooper, Lundy & Bookman assists clients with a range of HIPAA compliance activities, including policies and procedures, workforce training and managing data breaches.
For more information, please contact: In San Francisco, Paul Smith, Clark Stanton,Steve Phillips or Paul Deeringer at 415.875.8500; in Los Angeles, Hope Levy-Biehlat 310.551.8111; in Washington, D. C., Robert Roth at 202.587.2590.