By Cynthia Ransburg-Brown
In April, Phoenix Cardiac Surgery, P.C. (“Phoenix”), a private physician medical practice comprised of five physicians, entered a one-year Corrective Action Plan (“CAP”) with the Office of Civil Rights (“OCR”) and agreed to pay $100,000 for alleged violations of the Privacy and Security Rules of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The CAP and payment are significant because Phoenix is the first physician group practice to enter a Resolution Agreement and agree to a monetary settlement under the increased HIPAA penalties made available via the American Recovery and Reinvestment Act of 2009, which increased the maximum HIPAA penalty to $1.5 million from $250,000.
An OCR Press Release leaves no doubt as to the significance of the Phoenix case, which ended a multi-year investigation of the practice’s overall HIPAA compliance efforts. According to the Director of OCR, Leon Rodriguez, the government’s investigation revealed a “continuing failure on the part of [Phoenix] to comply with the requirements of the Privacy and Security Rules.” Rodriguez noted that “health care providers should pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and the OCR expects full compliance no matter the size of a covered entity.”
Phoenix’s troubles began when a patient filed a complaint citing a violation of the HIPAA Security Rule, triggering the OCR’s multi-year investigation. Phoenix used an Internet-based calendaring system. According to the Resolution Agreement, the calendaring system was active from July 2007 through December 2009, when the OCR contacted Phoenix about the HIPAA complaint. While the calendaring system was active, Phoenix “posted over 1,000 separate entries of electronic protected health information (“ePHI”) on the publicly accessible, Internet-based calendar.” The calendar was on a “public” setting rather than a “private setting” thus allowing anyone to access confidential patient information. Phoenix had not “clicked” the system’s “private” setting and had failed to enter a Business Associate Agreement with the computer company providing the Internet-based service.
Among other things, the OCR’s investigation revealed the following conduct:
a. Phoenix did not provide and document training of each its employees on the HIPAA Privacy and Security Rules;
b. Phoenix failed to implement policies and procedures to appropriately safeguard patient information;
c. Phoenix failed to identify a HIPAA security official and failed to conduct an accurate and thorough risk assessment of the potential risks to the confidentiality, integrity, and availability of ePHI; and
d. Phoenix failed to obtain business associate agreements with its Internet-based email and calendar service providers.
As the OCR notes, no covered entity is too small. Medical practices, therefore, should view the OCR’s actions as a clear warning of future government action. Even though the settlement Phoenix agreed to pay may seem small in comparison to the $1.5 million settlement the OCR reached with BlueCross and BlueShield of Tennessee to resolve claims of HIPAA Privacy and Security violations, a $100,000 settlement is significant and can be financially crippling for physician practice.
In addition, the OCR has released early results from a new HIPAA Privacy and Security Audit Program. Under the pilot program, the OCR intends to gauge overall HIPAA compliance through the use of random audits of covered entities. Providers should be aware, however, that the program, while still in its early stages, could result in government investigations, resolution agreements, and fines similar those discussed above. According to the OCR, the “audits present an opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s established complaint investigations and compliance reviews.” Early audit reports reveal a wide gap in HIPAA compliance with some covered entities failing to complete basic HIPAA tasks such as entering business associate agreements, failing to perform risk assessments, or failing to issue a notice of privacy practices. In other audits, however, the auditors found no major compliance issues, supporting the OCR’s position that the random audits are “primarily a compliance improvement activity.”
These enforcement activities and others indicate the government’s renewed focus on HIPAA compliance. HIPAA has been around for many years, and the government has worked diligently with covered entities to improve and ensure compliance. However, if the Phoenix case is any indication, the government’s tolerance for non-compliance is fading fast. HIPAA is often relegated to the “last item on the agenda,” but its importance should not be so cavalierly dismissed. Given the government’s recent enforcement efforts, medical practices, both large and small, should take a serious look at overall HIPAA compliance because the cost of non-compliance can be staggering. Practice should begin with re-training employees and documenting the training; updating HIPAA policies and procedures to address breach notification, electronic medical records and portable electronic devices; and ensuring that business associates are aware of their HIPAA obligations through the use of an updated business associate agreement consistent with the requirements of the HIPAA Privacy and Security Rule.
Cynthia Ransburg-Brown, Esq.
Partner, Sirote & Permutt, P.C.’s Health Care Consulting Group
Phoenix Resolution Agreement:
HHS settles case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards, April 17, 2012, http://www.hhs.gov/news/press/2012pres/04/20120417a.html
HIPAA Privacy & Security Audit Program:
Jeff Drummond & John Christiansen, Pervasive HIPAA Failings Net Surgeons the First OCR Sanctions Against Physicians, Report on Patient Privacy, May 2012, at 1.