HHS Settlement for Lack of HIPAA Safeguards

On April 17, 2012, the United States Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement with Phoenix Cardiac Surgery (“PSC”) for alleged violations of the HIPAA Privacy and Security Rules. 

OCR initiated an investigation in February 2009 in response to a complaint that alleged that PSC had “impermissibly disclosed electronic protected health information by making it publicly available on the Internet.” Through the course of its investigation, OCR found that PSC did not adequately provide and document training of its employees on how to appropriately handle protected health information (“PHI”). Additionally, OCR found that PSC did not have appropriate and reasonable administrative, physical and technical safeguards in place to protect patient data. For example, PSC allegedly “posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar” and employees e-mailed PHI to their own personal e-mail accounts. OCR further alleged that PSC did not appoint a security officer as required by HIPAA, and did not perform an accurate and thorough risk assessment which is also a HIPAA requirement. Lastly, OCR alleged that PSC did not obtain “satisfactory assurances in a business associate agreement” from its business associates. This suggests that either business associate agreements were outright lacking or the language did not meet the requirements under HIPAA. 

 

PSC agreed to pay OCR $100,000 as well as enter into a one-year corrective action plan. It should be noted that the OCR investigation addressed periods prior to the implementation of the HITECH Act, and therefore, data breach notification implicated.

 

Published In: Administrative Agency Updates, Health Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Proskauer - Privacy & Data Security | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »