HHS Announces $100,000 HIPAA Settlement with a Physician Practice

On April 17, 2012, the U.S. Department of Health and Human Services announced that Phoenix Cardiac Surgery, P.C. agreed to a $100,000 settlement for the continuing failure of the covered entity from complying with the HIPAA Privacy and Security Rules. (HHS Press Release) The settlement also included the requirement of the implementation of an extensive corrective action plan to bring the covered entity into compliance with the HIPAA Privacy and Security Rules. The settlement came about after an investigation by the HHS Office of Civil Rights in response to a report it received related to the covered entity’s practice of posting protected health information on an Internet-based calendar accessible by the public. 

This settlement should be ample warning to providers of all types that HHS’ posture with regard to HIPAA compliance has continued to trend toward aggressive and monetarily material enforcement of the HIPAA Privacy and Security Rules. The physician practice involved in this settlement clearly did not appreciate the potential HIPAA risks of maintaining a public calendar. And while a public calendar could potentially create certain efficiencies related to the operation of the practice and improve physician productivity, the cost of the failure of the practice to fully appreciate the HIPAA risks has certainly eroded any expected return in the utilization of an electronic calendar.

It is interesting to note that HHS was especially perplexed by a multi-year continuing failure of compliance. There are a number of lessons and considerations for providers from this settlement:

1. Are you certain you are fully HIPAA compliant?

Many providers purchased off-the-shelf HIPAA compliance plans that were marketed to address the HIPAA Privacy Rule when it initially came into effect and did the minimum to implement the plan and educate staff. If you are in this situation, you need to answer the following additional questions:

a. Have we followed the plan we adopted and documented our compliance sufficiently, e.g. training logs, employee acknowledgements, etc.?

b. Have we updated the plan to address the HIPAA Security Rule?

c. Have we updated the plan to address changes under the HITECH Act?

2. Are you systematically monitoring HIPAA compliance?

Many physician practices place the burden of being the compliance officers on staff members who are ill-prepared to undertake a role that is taking on heightened importance as enforcement activity continues to become more aggressive. It is highly recommended that you evaluate the talents and skill set of your compliance officer and make a change if necessary to provide further protection and safeguards from HIPAA risks.

3. Do you effectively have privacy and security safeguards integrated?

In many organizations, the responsibility for issues under the Privacy Rule and issues under the Security Rule may be handled in different departments. For example, responsibility for issues related to privacy may be found in the office of the general counsel or chief compliance officer and responsibility for the issues related to security may be found with the chief information officer or even the chief financial officer due to the financial commitments necessary to procure significant management information systems including electronic health record capabilities. Organizations should continually monitor whether there is appropriate integration of safeguards across the privacy and security considerations and conduct risks assessments to identify gaps that need to be addressed.

The settlement recently announced by HHS is not the first monetary settlement in the HIPAA compliance area. However, this settlement is important because of the severity of the sanctions due to the apparent indifference of the covered entity with regard to serious HIPAA compliance efforts. If you are a covered entity who has been lax in its HIPAA compliance efforts, you are now on notice that HHS is looking to send a message regarding what it perceives to be a deliberate indifference to HIPAA compliance.

If you have any questions about your HIPAA compliance plans, please feel free to contact Frank Carsonie or any member of our health care practice group for a further discussion.

Comments are closed.