Advertisement

May 20, 2013

The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group

Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Kimberly J. Gold
Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.
Saturday, April 21, 2012
Administrative & Regulatory / Consumer Protection / Health Law & Managed Care
All Federal
Printer-friendly
Email this Article
Download PDF
Reprints & Permissions

If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.  

Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. 

OCR investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar.  OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information.  OCR also concluded that the physician practice did not adequately document employee training on the Privacy and Security Rules, identify a security official, conduct a risk analysis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodriquez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agreement and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security Rules.

The Resolution Agreement has a clear warning for service providers:  Vendors of services that store and transmit patient information, including the seemingly innocuous Web-based e-mail and calendar services, are business associates and are required to comply with the Privacy and Security Rules.  It also serves as a reminder to health care providers to ensure that business associate agreements are in place for all these types of services.

The settlement reaffirms OCR’s commitment to enforcing the Privacy and Security Rules, and its willingness to sanction covered entities for HIPAA violations.  Just last month, BlueCross BlueShield of Tennessee agreed to pay $1.5 million to settle claims of non-compliance with the Privacy and Security Rules. 

©1994-2013 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

About the Author

Kimberly J. Gold
Associate

Prior to joining Mintz Levin, Kimberly was an associate at Arent Fox LLP. Her practice focused on health care and corporate matters such as mergers and acquisitions, financings, regulatory compliance, licensing, reimbursement, and privacy.

Kimberly's experience includes negotiating, reviewing, and drafting agreements, including stock and asset purchase agreements, operations transfer agreements, and loan agreements. She has also advised health care clients with respect to HIPAA, HITECH, fraud and abuse issues, Medicare and Medicaid reimbursement, food and drug laws, and state...

KJGold@mintz.com
(212) 692-6706
www.mintz.com/people/733/Kimberly_Gold

Boost: AJAX core statistics

Legal Disclaimer

You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's  Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.  

Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. NLR does not accept advertising from attorneys or law firms. The National Law Review is not a law firm nor is www.NatLawReview.com  intended to be an advertisement or a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional.  NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us. 

Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.