The recent news of a small physician practice(5 physicians) in Arizona being fined $100,000 for HIPAA Security and Privacy rule violations, should serve as a warning that all covered entities, whether big hospitals or small healthcare providers like dental practices, physican practices, need to take patient data security and privacy very seriously. According to the news release from U.S. Department Health and Human Services (HHS), Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the of HHS a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients and come into full compliance with the Privacy and Security Rules.
OCR investigation was launched because of a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. OCR’s investigation also revealed that Phoenix Cardiac Surgery failed to:
- Implement adequate policies and procedures to appropriately safeguard patient information.
- Document that it trained any employees on its policies and procedures on the Privacy and Security Rules.
- Identify a security official and conduct a risk analysis.
- Obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information (ePHI).
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules…. .We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Getting your practice to full compliance is an ongoing process and requires a multi-faceted approach. Technology alone does not make your practice HIPAA compliant. Your practice needs to take reasonable and appropriate measures to safeguard patient health information at all times. Optimal usage of technology supported by well documented policies and procedures and periodic training is required to meet the HIPAA security and privacy compliance requirements.