HIPAA Enforcement: Pay AttentionEven Small Clinics at Risk of Paying Penalties
Because so few organizations have been penalized for failing to comply with HIPAA, many healthcare organizations - especially smaller ones - figured they could get away with paying scant attention to compliance with the HIPAA privacy and security rules.
That's why this week's announcement of sanctions against a small physician group practice in Arizona is so noteworthy (see: Arizona Practice Gets $100k HIPAA Fine). The practice didn't experience a headline-grabbing major breach. But when federal authorities received a complaint about what looked like a HIPAA violation, they launched what turned into a three-year investigation culminating in a $100,000 penalty and a corrective action plan.
This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules.
So if you work at a small clinic or hospital and have been struggling to gain support for a HIPAA compliance program, be sure to share this enforcement tale with your top executives.
A Lengthy Investigation
The Department of Health and Human Services' Office for Civil Rights began its investigation of Phoenix Cardiac Surgery P.C. in February 2009 when it received a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. The OCR investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information.
The corrective action plan resulting from the investigation includes, among other measures, conducting a risk assessment and implementing appropriate policies and procedures - two fundamental HIPAA compliance steps that the practice had yet to take.
"This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules," says Leon Rodriquez, OCR director. He stresses that OCR expects HIPAA compliance "no matter the size of a covered entity."
So if you think your organization can stay under the radar because it's relatively small, think again. The Phoenix practice lists five physicians on its website. And now it faces a substantial financial penalty as well as ongoing federal scrutiny.
When he became OCR director last fall, Rodriguez made a point of emphasizing his plans to ramp up HIPAA enforcement. But OCR investigations take a long time, typically two years or more. So while it may take a while, it's inevitable that we'll see a lot more announcements from OCR about HIPAA violation settlements, whether they involve big breaches or just a pattern of non-compliance.
Our recent Health Information Security Today survey contained good news and bad news about HIPAA compliance. The bad news? Some 26 percent of healthcare organizations had yet to conduct a risk assessment, as mandated under HIPAA. The good news? Some 63 percent said improving regulatory compliance efforts was their No. 1 information security priority for the year ahead.
If OCR came knocking at your door, could you demonstrate HIPAA compliance? Are you sure? Take a close look at the resolution agreement in the Phoenix case for a list of the kinds of compliance steps federal regulators want you to take.