HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards

This enforcement action is particularly important because it marks the first recent case where failure to conduct a HIPAA Security Risk Analysis is used for a financial penalty or fine!
Please remember this is a requirement under HIPAA as well as to attest to meaningful use. If you have not had CRHC help you with your RA let us know and we can provide you with an affordable series of options.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard to protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

Among other issues, OCR’s investigation revealed the following issues:

·       Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
·       Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
·       Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and  
·       Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.
·       Read the Resolution Agreement and CAP
·       For Information on OCR’s Enforcement Activities 
·       Read the HHS Press Release

Much is happening in healthcare. Check out my monthly CEO update for the latest in rural healthcare.


Leave a reply

Your email address will not be published. Required fields are marked *