July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

July 01, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

The Rising Cost of HIPAA Violations: $100,000 Fine Levied on Physician Group

If your company needs another reminder that policies and procedures, risk assessments, documentation and training are critical elements for HIPAA compliance programs, we have another corrective action plan – and monetary fine – that should be utilized as a “teachable moment” for health care providers and business associates alike.  

Phoenix Cardiac Surgery, P.C. has agreed to pay a $100,000 fine and implement a corrective action plan under a Resolution Agreement with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a lengthy investigation into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. 

OCR investigated the physician practice following a report that it had been posting clinical and surgical appointments on a publicly accessible Internet-based calendar.  OCR’s investigation, dating back to 2003, found that Phoenix Cardiac Surgery had failed to implement sufficient policies and procedures to appropriately safeguard patient information.  OCR also concluded that the physician practice did not adequately document employee training on the Privacy and Security Rules, identify a security official, conduct a risk analysis, or obtain satisfactory assurances in business associate agreements with Internet-based calendar and email providers. In a press release announcing the Phoenix Cardiac Surgery settlement, OCR Director Leon Rodriquez expressed the agency’s hope that health care providers “pay careful attention” to the Resolution Agreement and the expectation that all providers, “no matter the size,” fully comply with the Privacy and Security Rules.

The Resolution Agreement has a clear warning for service providers:  Vendors of services that store and transmit patient information, including the seemingly innocuous Web-based e-mail and calendar services, are business associates and are required to comply with the Privacy and Security Rules.  It also serves as a reminder to health care providers to ensure that business associate agreements are in place for all these types of services.

The settlement reaffirms OCR’s commitment to enforcing the Privacy and Security Rules, and its willingness to sanction covered entities for HIPAA violations.  Just last month, BlueCross BlueShield of Tennessee agreed to pay $1.5 million to settle claims of non-compliance with the Privacy and Security Rules. 

©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.National Law Review, Volume II, Number 112
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

The health industry is a complex system, and reimbursement is the lifeblood. Reduction in payments from governmental and commercial payors affects providers, suppliers, manufacturers, and all others across the health care continuum.

Regulatory approval and accreditation is the heart of the system. For many, delay in licensure and other regulatory approvals can threaten financing and corporate viability. Accreditation of residency training programs is essential to the vitality of academic medical centers and teaching hospitals.

Restructuring is a fact of life in this dynamic...

202-434-7324
Advertisement
Advertisement
Advertisement