The Department of Health and Human Services (“DHHS”) announced yesterday in a press release that, after a lengthy investigation, the Office for Civil Rights (“OCR”) had reached a settlement agreement with the Phoenix Cardiac Surgery, P.C. (“PCS”), an Arizona for-profit corporation that is a covered entity under HIPAA. Under the terms of the settlement, PCS agreed to pay $100,000 and to follow a corrective action plan laid out by OCR. The investigation began February 19, 2009, as a result of a complaint alleging that PCS had impermissibly disclosed electronic protected health information (“EPHI”) by making it publicly available on the internet. The investigation disclosed several instances of PCS’s ongoing failure to comply with HIPAA and its implementing privacy and security regulations since 2003.
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, Director of OCR, according to the press release. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
According to the press release, OCR’s investigation also revealed the following issues:
- PCS failed to implement adequate policies and procedures to appropriately safeguard patient information.
- PCS failed to train and document that it had trained any employees on its policies and procedures on the Privacy and Security Rules.
- PCS failed to identify a security official and conduct a risk analysis.
- PCS failed to obtain business associate agreements with internet-based email and calendar services where the provision of the service included storage of and access to its EPHI.
Moral of the story: Get HIPAA compliant now. You will have to comply with HIPAA and the HITECH Act anyway, so why not bite the bullet and do it now? You can help yourself avoid a hefty settlement that would surely include big bucks and a corrective action plan. And you will be taking good care of your patients/clients. And you will sleep better. If you need help, first, you can buy my Health Information Compliance Library, and second, you can hire my consulting company, EMR Legal, Inc., to help you become compliant.