A heart surgery group practice agreed to pay $100,000 to settle federal allegations that it chronically neglected standard HIPAA requirements such as risk assessment, training and business associate contracts, the U.S. Department of Health and Human Services (HHS) announced April 17.
This settlement, coming hard on the heels of HHS’ $1.5 million agreement with BlueCross BlueShield of Tennessee, suggests that HHS officials’ recent tough talk is for real. And of potential significance for plan sponsors, it may signal that smaller covered entities are no longer under the radar.
HHS’ enforcement action against Phoenix Cardiac Surgery, P.C. (PCS), was triggered by a complaint that PCS was posting patient appointments on a publicly accessible Internet-based calendar. When it investigated, HHS’ Office for Civil Rights (OCR) found that the five-physician group had implemented few policies or procedures to comply with HIPAA’s privacy and security rules, and had only limited safeguards on electronic protected health information (e-PHI), the agency alleged.
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules,” OCR Director Leon Rodriguez said in a statement. “The HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Like previous HIPAA “resolution agreements,” the PCS settlement imposes a detailed corrective action plan. In this case, PCS must prepare and submit policies and procedures for OCR approval and then, 60 days later, submit an “implementation report” that includes a risk analysis, a risk management plan and signed attestations that all employees have undergone the required training and certified compliance.