$100,000 HIPAA fine designed to send message to small physician practices
■ After avoiding levying fines to small groups for patient privacy and security violations, the government issues its first penalty against one.
In announcing a resolution settlement with a cardiac surgery practice, the Dept. of Health and Human Services’ Office for Civil Rights issued a warning to doctors: No matter the size of your practice, you will be held accountable for HIPAA violations.
On April 17, Phoenix Cardiac Surgery, a five-physician practice with offices in Phoenix and Prescott, Ariz., became the first small practice to enter into a resolution agreement that included a civil money penalty over charges that it violated the Health Insurance Portability and Accountability Act Privacy and Security Rules (link). The practice agreed to pay $100,000 and take corrective actions.
The HHS Office for Civil Rights launched an investigation after a complaint was filed alleging that the practice was posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible. Susan McAndrew, the HHS office’s deputy director of health information privacy, said when the office started working with the practice to resolve the issue, it became clear that the practice, owned by two of the five practicing surgeons, had done little to comply with HIPAA Privacy and Security Rules since the regulations were implemented in 2003 and 2004, respectively.
Phoenix Cardiac Surgery did not return a call seeking comment. The resolution agreement was not an admission of guilt.
“This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of the HHS Office of Civil Rights. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
The investigation found that the practice failed to implement adequate policies and procedures to protect patient information; failed to document that it trained employees on HIPAA Privacy and Security Rules; failed to identify a security official within the practice and conduct a risk analysis; and failed to obtain any business associate agreements for its Internet-based email and scheduling services.
Other complaints filed with the HHS Office of Civil Rights against small and midsized practices have resulted in corrective plans being implemented with no further action. This was the first resolution agreement with a small or midsized practice since the Privacy and Security Rules got greater enforcement powers with the enactment of the Health Information Technology for Economic and Clinical Health Act of 2009. Other resolution agreements with hospitals, health plans and pharmacies have resulted in civil money penalties of more than $1 million each.
The HHS Office of Civil Rights created a website where case studies of some of those cases can be found in hopes the stories will serve as a learning experience for others (link).