HHS Settlement for Lack of HIPAA Safeguards


On April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules. 

OCR initiated an investigation in February 2009 in response to a complaint that alleged that PSC had “impermissibly disclosed electronic protected health information by making it publicly available on the Internet.” Through the course of its investigation, OCR found that PSC did not adequately provide and document training of its employees on how to appropriately handle protected health information (“PHI”). Additionally, OCR found that PSC did not have appropriate and reasonable administrative, physical and technical safeguards in place to protect patient data. For example, PSC allegedly “posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar” and employees e-mailed PHI to their own personal e-mail accounts. OCR further alleged that PSC did not appoint a security officer as required by HIPAA, and did not perform an accurate and thorough risk assessment which is also a HIPAA requirement. Lastly, OCR alleged that PSC did not obtain “satisfactory assurances in a business associate agreement” from its business associates. This suggests that either business associate agreements were outright lacking or the language did not meet the requirements under HIPAA. 


PSC agreed to pay OCR $100,000 as well as enter into a one-year corrective action plan. It should be noted that the OCR investigation addressed periods prior to the implementation of the HITECH Act, and therefore, data breach notification implicated.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Written by:


Proskauer - Privacy & Data Security on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.