$100,000 HIPAA fine designed to send message to small physician practices

After avoiding levying fines to small groups for patient privacy and security violations, the government issues its first penalty against one.

By — Posted May 2, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

In announcing a resolution settlement with a cardiac surgery practice, the Dept. of Health and Human Services’ Office for Civil Rights issued a warning to doctors: No matter the size of your practice, you will be held accountable for HIPAA violations.

On April 17, Phoenix Cardiac Surgery, a five-physician practice with offices in Phoenix and Prescott, Ariz., became the first small practice to enter into a resolution agreement that included a civil money penalty over charges that it violated the Health Insurance Portability and Accountability Act Privacy and Security Rules (link). The practice agreed to pay $100,000 and take corrective actions.

The HHS Office for Civil Rights launched an investigation after a complaint was filed alleging that the practice was posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible. Susan McAndrew, the HHS office’s deputy director of health information privacy, said when the office started working with the practice to resolve the issue, it became clear that the practice, owned by two of the five practicing surgeons, had done little to comply with HIPAA Privacy and Security Rules since the regulations were implemented in 2003 and 2004, respectively.

Phoenix Cardiac Surgery did not return a call seeking comment. The resolution agreement was not an admission of guilt.

“This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of the HHS Office of Civil Rights. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

The investigation found that the practice failed to implement adequate policies and procedures to protect patient information; failed to document that it trained employees on HIPAA Privacy and Security Rules; failed to identify a security official within the practice and conduct a risk analysis; and failed to obtain any business associate agreements for its Internet-based email and scheduling services.

Other complaints filed with the HHS Office of Civil Rights against small and midsized practices have resulted in corrective plans being implemented with no further action. This was the first resolution agreement with a small or midsized practice since the Privacy and Security Rules got greater enforcement powers with the enactment of the Health Information Technology for Economic and Clinical Health Act of 2009. Other resolution agreements with hospitals, health plans and pharmacies have resulted in civil money penalties of more than $1 million each.

The HHS Office of Civil Rights created a website where case studies of some of those cases can be found in hopes the stories will serve as a learning experience for others (link).

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn