ARTICLE
23 May 2012

Physician Practice To Pay $100,000 To Resolve Allegations Of HIPAA Violations

TC
Thompson Coburn LLP

Contributor

For almost 90 years, Thompson Coburn LLP has provided the quality legal services and counsel our clients demand to achieve their most critical business goals. With more than 380 lawyers and 40 practice areas, we serve clients throughout the United States and beyond.
On April 17, 2012, the U.S. Department of Health & Human Services Office of Civil Rights ("OCR") announced that Phoenix Cardiac Surgery, P.C. ("Phoenix"), a five-physician Arizona cardiology practice, has entered a resolution agreement related to allegations that it violated the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
United States Food, Drugs, Healthcare, Life Sciences

P>On April 17, 2012, the U.S. Department of Health & Human Services Office of Civil Rights ("OCR") announced that Phoenix Cardiac Surgery, P.C. ("Phoenix"), a five-physician Arizona cardiology practice, has entered a resolution agreement related to allegations that it violated the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). This is the first such resolution agreement between the OCR and a physician practice. Under the terms of the resolution agreement, Phoenix has agreed to pay the government $100,000 and implement a corrective action plan requiring the practice to develop policies and take other steps to correct the alleged violations.

The HIPAA violations covered under the resolution agreement were identified as part of a 2009 OCR investigation triggered by a complaint that Phoenix had impermissibly disclosed electronic protected health information ("ePHI") by posting patient appointment information on an Internet-based calendar that was publicly available and include allegations that Phoenix:

  • Did not provide and document training of workforce members on HIPAA policies and procedures;
  • Posted ePHI on a publicly accessible, Internet-based calendar;
  • Transmitted ePHI on a daily basis from an Internet-based e-mail account to workforce members' personal e-mail accounts;
  • Failed to identify a HIPAA security officer;
  • Failed to conduct an assessment of risks to ePHI; and
  • Failed to obtain business associate agreements with the Internet-based calendar and e-mail providers.

A copy of the settlement agreement and corrective action plan can be found here: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

According to Leon Rodriguez, director of the OCR, this resolution is evidence that the OCR expects full compliance with HIPAA requirements regardless of the size of a covered entity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More