Arizona Practice Gets $100k HIPAA Fine

Lengthy Investigation Finds Numerous Violations
Arizona Practice Gets $100k HIPAA Fine

As a result of a three-year federal investigation of HIPAA violations, a small Arizona physician group practice faces a $100,000 penalty and must implement a corrective action plan.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The investigation of Phoenix Cardiac Surgery P.C., with offices in Phoenix and Prescott, began in February 2009, following a report that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible, according to the Department of Health and Human Services' Office for Civil Rights. The OCR investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information, according to an HHS statement. The investigation led to a resolution agreement, which is available on the OCR website.

The agreement calls for a corrective action plan that includes, among other measures, conducting a risk assessment and implementing appropriate policies and procedures. The practice, which is owned by two physicians, lists five physicians on its website.

"This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules," says Leon Rodriquez, OCR director. He stresses that OCR expects HIPAA compliance "no matter the size of a covered entity."

Key HIPAA Violations

Issues revealed in the investigation, according to OCR, are that the practice failed to:

  • Implement adequate policies and procedures to appropriately safeguard patient information;
  • Document that it trained any employees on its policies and procedures for complying with the HIPAA privacy and security rules;
  • Identify a security official and conduct a risk analysis;
  • Obtain business associate agreements with its Internet-based e-mail and calendar services vendors who stored and had access to protected health information.

In March, OCR announced a resolution agreement with BlueCross Blue Shield of Tennessee that included a $1.5 million penalty in a case involving a breach that affected more than 1 million individuals.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network