Phoenix Cardiac Surgery to Pay $100,000, Implement CAP to Settle HIPAA Violations


On April 17, 2012, HHS announced that Phoenix Cardiac Surgery, P.C. (Phoenix), a physician practice providing cardiothoracic surgery services located in Phoenix and Prescott, Arizona, agreed to pay $100,000 and implement a corrective action plan (CAP) to settle alleged HIPAA violations. The HHS Office for Civil Rights (OCR) began investigating Phoenix in February 2009 after receiving a complaint that Phoenix had impermissibly disclosed ePHI by posting clinical and surgical appointments for its patients on an Internet-based, publicly accessible calendar.

Upon investigation, OCR determined that Phoenix failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of ePHI, as evidenced by its posting of 1,000 separate entries of ePHI on the Internet calendar and by transmitting daily ePHI from an Internet-based e-mail account to personal Internet-based e-mail accounts of workforce members. In addition, OCR found that Phoenix failed to: (1) implement adequate policies and procedures to appropriately safeguard patient information; (2) document that it trained employees on its policies and procedures on the Privacy and Security Rules; (3) identify a security official and conduct a risk analysis; and (4) obtain business associate agreements with Internet-based e-mail and calendar services providers where the provision of the service included storage of and access to ePHI. Notably, the alleged violations had been occurring for multiple years – most since 2005 and one as far back as 2003.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.