On April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules.
OCR initiated an investigation in February 2009 in response to a complaint that alleged that PSC had “impermissibly disclosed electronic protected health information by making it publicly available on the Internet.” Through the course of its investigation, OCR found that PSC did not adequately provide and document training of its employees on how to appropriately handle protected health information (“PHI”). Additionally, OCR found that PSC did not have appropriate and reasonable administrative, physical and technical safeguards in place to protect patient data. For example, PSC allegedly “posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar” and employees e-mailed PHI to their own personal e-mail accounts. OCR further alleged that PSC did not appoint a security officer as required by HIPAA, and did not perform an accurate and thorough risk assessment which is also a HIPAA requirement. Lastly, OCR alleged that PSC did not obtain “satisfactory assurances in a business associate agreement” from its business associates. This suggests that either business associate agreements were outright lacking or the language did not meet the requirements under HIPAA.
PSC agreed to pay OCR $100,000 as well as enter into a one-year corrective action plan. It should be noted that the OCR investigation addressed periods prior to the implementation of the HITECH Act, and therefore, data breach notification implicated.