Phoenix Cardiac Surgery, PC, a small physician practice, settled a HIPAA privacy and security complaint for $100,000 and agreed to a Corrective Action Plan. The settlement agreement (in which the practice does not admit liability) is the culmination of an investigation that found minimal compliance with HIPAA Privacy and Security.
This 5 physician practice, with two locations in Arizona, is owned by Pierre R. Tibi, M.D. and H. Kenith Fang, M.D. Based on a review of their website, these physicians are well regarded in their community and each have authored multiple research publications.
The HHS investigation stems from a 2009 complaint that the practice posted its surgery schedule on a publicly-accessible, Internet-based calendar. On February 19, 2009, just days before the new, stiffer HIPAA penalties went into effect, The Department of Health and Human Services Office for Civil Rights (“OCR”) notified the practice of the complaint and started its investigation.
The investigation found:
- The practice never documented any training for its employees for HIPAA Privacy or Security
- The practice did not implement appropriate administrative and technical safeguards required by HIPAA Security. In addition to publically posting its surgery schedule, the practice used unencrypted, internet-based email to transmit ePHI on a daily basis
- The practice never appointed a HIPAA Security Officer
- The practice never conducted a computer security risk analysis
- The practice did not obtain a Business Associate agreement from its cloud-based email provider
After a review of the Resolution Agreement in this case, Eagle’s assessment is that the practice never even attempted to implement the HIPAA Security rules, which went into effect in 2005. This is not unusual. By 2005, small practices across the country suffered from “HIPAA fatigue.” From 2001 to 2003, the medical community was in a frenzy with the implementation of the HIPAA Privacy rules. In 2004 they were required to invest in updated software and learn new billing procedures to implement the HIPAA Transaction rules which converted all billing to the ANSI 837 format. In 2005, when the HIPAA Security regulations went into effect, practices had a simple response when the HIPAA messengers arrived for a 3rd time: “go away.”
Seven years later, this case should serve as a wake-up call to small practices who noted that most of the HIPAA enforcement penalties to date have been levied against large organizations like Mass General, CVS, and Rite-Aid.
With the massive federal incentives for electronic records, especially with the health information exchanges and the transmission of sensitive information between providers, the importance of the HIPAA Security measures are plain to see, even by the average consumer.
The feds are stressing HIPAA compliance by including in the Meaningful Use criteria a Privacy and Security Objective which obligates practices to perform a HIPAA computer security risk analysis, and to correct deficiencies identified. Because small practices have limited resources, Eagle Consulting offers affordable subscription services to assist with this objective.
