By Cynthia Ransburg-Brown
In April, Phoenix Cardiac Surgery, P.C.
(“Phoenix”), a private physician medical practice comprised of five physicians,
entered a one-year Corrective Action Plan (“CAP”) with the Office of Civil
Rights (“OCR”) and agreed to pay $100,000 for alleged violations of the Privacy
and Security Rules of the Health Insurance Portability and Accountability Act
of 1996 (“HIPAA”). The CAP and payment are
significant because Phoenix is the first physician group practice to enter a Resolution
Agreement and agree to a monetary settlement under the increased HIPAA
penalties made available via the American Recovery and Reinvestment Act of 2009,
which increased the maximum HIPAA penalty to $1.5 million from $250,000.
An OCR Press Release leaves no doubt as to the
significance of the Phoenix case, which ended a multi-year investigation of the
practice’s overall HIPAA compliance efforts.
According to the Director of OCR, Leon Rodriguez, the government’s
investigation revealed a “continuing failure on the part of [Phoenix] to comply
with the requirements of the Privacy and Security Rules.” Rodriguez noted that “health care providers
should pay careful attention to this resolution agreement and understand that
the HIPAA Privacy and Security Rules have been in place for many years, and the
OCR expects full compliance no matter the size of a covered entity.”
Phoenix’s troubles began when a patient filed a complaint
citing a violation of the HIPAA Security Rule, triggering the OCR’s multi-year investigation. Phoenix used an Internet-based calendaring
system. According to the Resolution
Agreement, the calendaring system was active from July 2007 through December
2009, when the OCR contacted Phoenix about the HIPAA complaint. While the calendaring system was active,
Phoenix “posted over 1,000 separate entries of electronic protected health
information (“ePHI”) on the publicly accessible, Internet-based calendar.” The
calendar was on a “public” setting rather than a “private setting” thus allowing
anyone to access confidential patient information. Phoenix had not “clicked” the system’s “private” setting and had failed
to enter a Business Associate Agreement with the computer company providing the
Internet-based service.
Among other things, the OCR’s investigation
revealed the following conduct:
a.
Phoenix did not provide and document training of
each its employees on the HIPAA Privacy and Security Rules;
b.
Phoenix failed to implement policies and
procedures to appropriately safeguard patient information;
c.
Phoenix failed to identify a HIPAA security
official and failed to conduct an accurate and thorough risk assessment of the
potential risks to the confidentiality, integrity, and availability of ePHI;
and
d.
Phoenix failed to obtain business associate agreements
with its Internet-based email and calendar service providers.
As the OCR notes, no covered entity is too
small. Medical practices, therefore, should
view the OCR’s actions as a clear warning of future government action. Even though the settlement Phoenix agreed to
pay may seem small in comparison to the $1.5 million settlement the OCR reached
with BlueCross and BlueShield of Tennessee to resolve claims of HIPAA Privacy
and Security violations, a $100,000 settlement is significant and can be financially
crippling for physician practice.
In addition, the OCR has
released early results from a new HIPAA Privacy and Security Audit Program.
Under the pilot program, the OCR intends to gauge overall HIPAA compliance
through the use of random audits of covered entities. Providers should be aware, however, that the program, while still
in its early stages, could result in government investigations, resolution
agreements, and fines similar those discussed above. According to the OCR, the “audits present an opportunity to
examine mechanisms for compliance, identify best practices and discover risks
and vulnerabilities that may not have come to light through OCR’s established
complaint investigations and compliance reviews.” Early audit reports reveal a wide gap in HIPAA compliance with
some covered entities failing to complete basic HIPAA tasks such as entering
business associate agreements, failing to perform risk assessments, or failing
to issue a notice of privacy practices.
In other audits, however, the auditors found no major compliance issues,
supporting the OCR’s position that the random audits are “primarily a
compliance improvement activity.”
These enforcement activities and others indicate
the government’s renewed focus on HIPAA compliance. HIPAA has been around for many years, and the government has
worked diligently with covered entities to improve and ensure compliance. However, if the Phoenix case is any
indication, the government’s tolerance for non-compliance is fading fast. HIPAA is often relegated to the “last item
on the agenda,” but its importance should not be so cavalierly dismissed. Given the government’s recent enforcement
efforts, medical practices, both large and small, should take a serious look at
overall HIPAA compliance because the cost of non-compliance can be staggering. Practice should begin with re-training employees
and documenting the training; updating HIPAA policies and procedures to address
breach notification, electronic medical records and portable electronic devices;
and ensuring that business associates are aware of their HIPAA obligations
through the use of an updated business associate agreement consistent with the
requirements of the HIPAA Privacy and Security Rule.
Cynthia Ransburg-Brown, Esq.
Partner, Sirote & Permutt, P.C.’s Health Care
Consulting Group
Resources:
Phoenix
Resolution Agreement:
HHS settles case with Phoenix Cardiac
Surgery for Lack of HIPAA Safeguards, April 17, 2012, http://www.hhs.gov/news/press/2012pres/04/20120417a.html
HIPAA
Privacy & Security Audit Program:
Jeff Drummond & John Christiansen, Pervasive HIPAA Failings Net Surgeons the
First OCR Sanctions Against Physicians, Report on Patient Privacy, May 2012,
at 1.