Phoenix Cardiac Surgery to Pay $100,000, Implement CAP to Settle HIPAA Violations


On April 17, 2012, HHS announced that Phoenix Cardiac Surgery, P.C. (Phoenix), a physician practice providing cardiothoracic surgery services located in Phoenix and Prescott, Arizona, agreed to pay $100,000 and implement a corrective action plan (CAP) to settle alleged HIPAA violations. The HHS Office for Civil Rights (OCR) began investigating Phoenix in February 2009 after receiving a complaint that Phoenix had impermissibly disclosed ePHI by posting clinical and surgical appointments for its patients on an Internet-based, publicly accessible calendar.

Upon investigation, OCR determined that Phoenix failed to have in place appropriate and reasonable administrative and technical safeguards to protect the privacy of ePHI, as evidenced by its posting of 1,000 separate entries of ePHI on the Internet calendar and by transmitting daily ePHI from an Internet-based e-mail account to personal Internet-based e-mail accounts of workforce members. In addition, OCR found that Phoenix failed to: (1) implement adequate policies and procedures to appropriately safeguard patient information; (2) document that it trained employees on its policies and procedures on the Privacy and Security Rules; (3) identify a security official and conduct a risk analysis; and (4) obtain business associate agreements with Internet-based e-mail and calendar services providers where the provision of the service included storage of and access to ePHI. Notably, the alleged violations had been occurring for multiple years – most since 2005 and one as far back as 2003.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.