Patient Privacy Case Settled by US Dept of Health and Human Services

The U.S. Department of Health and Human Services (HHS) has announced a $100,000 settlement and plan take corrective action to implement policies and procedures to safeguard the protected health information of patients by Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona:

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” OCR’s investigation also revealed the following issues:

• Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
• Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
• Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

The issue of privacy relating to online healthcare information is of particular concern to Web-based providers of telemedicine services. Online or e-health can raise significant legal issues, including privacy and security concerns under both federal law (HIPAA and HITECH) and state law. For example, California has extensive privacy regulations through its Confidentiality of Medical Information Act (“CMIA”) and portions of the Health & Safety Code. For information and legal advice about HIPAA and related state privacy and confidentiality legal issues, contact a HIPAA and HITECH attorney who can assess your situation and customize HIPAA policies and procedures.