HIPAA Violations Cost Phoenix Cardiac Surgery Group $100,000 after OCR Investigation

The agency investigated the complaint at hand and found that the physician group did not have adequate safeguards and failed to put in place business associate contracts with internet-based e-mail and calendar service providers that were storing and transmitting patient information.  OCR, however, went further and examined the group’s privacy and security practices dating back to 2003.  The agency found that the physician group did not implement adequate policies and procedures, document employee training on the Privacy and Security Rules, identify a security officer, or conduct the requisite risk analysis.  OCR Director Leon Rodriquez stated that “this case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.”  He further asserted that “we hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” 

The resolution agreement makes clear that vendors that store and transmit patient information, including providers of internet-based e-mail and calendar services, are business associates and require HIPAA business associate agreements.  In addition, the case serves as a reminder that policies and procedures, risk assessments, documentation and training are key elements of a HIPAA compliance program.   

Just last month, OCR announced a $1,500,000 settlement with Blue Cross Blue Shield of Tennessee (BCBST) for potential violations of the HIPAA Privacy and Security Rules.  Recent enforcement actions suggest a heightened willingness by OCR to sanction covered entities for HIPAA violations.

Authored by Marcy Wilder.