Arizona Practice Gets $100k HIPAA FineLengthy Investigation Finds Numerous Violations
As a result of a three-year federal investigation of HIPAA violations, a small Arizona physician group practice faces a $100,000 penalty and must implement a corrective action plan.
The investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible, according to the Department of Health and Human Services' Office for Civil Rights. The OCR investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to a resolution agreement, which is available on the OCR website.
The agreement calls for a corrective action plan that includes, among other measures, conducting a risk assessment and implementing appropriate policies and procedures. The practice, which is owned by two physicians, lists five physicians on its website.
"This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules," says Leon Rodriquez, OCR director. He stresses that OCR expects HIPAA compliance "no matter the size of a covered entity."
Key HIPAA Violations
Issues revealed in the investigation, according to OCR, are that the practice failed to:
- Implement adequate policies and procedures to appropriately safeguard patient information;
- Document that it trained any employees on its policies and procedures for complying with the HIPAA privacy and security rules;
- Identify a security official and conduct a risk analysis;
- Obtain business associate agreements with its Internet-based e-mail and calendar services vendors who stored and had access to protected health information.
In March, OCR announced a resolution agreement with BlueCross Blue Shield of Tennessee that included a $1.5 million penalty in a case involving a breach that affected more than 1 million individuals.