Cardiac Practice’s $100,000 HIPAA-Violation Fee Proves HHS Takes Privacy Seriously

Be warned that practices using Web-based electronic systems that lack appropriate privacy protection, whether by accident or not, could face the same fate.

An Arizona cardiac practice that posted clinical appointments for patients on a publicly accessible, Internet-based scheduling system this week agreed to pay HHS a $100,000 settlement for violating privacy and security rules under HIPAA. 

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Ariz., also agreed take corrective action to implement policies and procedures to safeguard the protected health information of its patients, said an HHS news release.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) after it was reported that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR, in a press statement. “We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

What happened this week - outlined in the very public HHS press release - proves that the federal government takes privacy and security in the digital age seriously. And that practices relying on Web-based electronic systems that lack appropriate privacy protection, whether by accident or not, could face the same fate as their Arizona peers.

We asked security consultants who work with practices to what extent a “this can’t happen to me” attitude still persists - as well as what lessons can be learned from this experience.

Jim Leonard, healthcare consultant and vice president of information technology at Quorum Health Resources, LLC, said while HHS is using this incident as an “example” of what not to do, “it's a realistic and perfect one that speaks to what amounts to misapplied technology.”

“This is a great example of how a clinic can be seduced by a seemingly good IT solution, but without a serious review and deep thought about consequences regarding HIPAA security, can end up with a problem on their hands,” Leonard told Physicians Practice.

Healthcare IT consultant Marion Jenkins, of QSE Technologies, Inc., said practices can protect themselves against breaches and HIPAA violations by making sure web technology is deployed correctly, with all of the right protections.

“The situation was pretty egregious, really,” Jenkins told Physicians Practice. “[The practice] either had somebody develop an application that didn’t have the proper security, or they used a patient portal from a software vendor and didn’t deploy it right.”

A representative from Phoenix Cardiac Surgery, P.C., could not be reached for comment.

For more information on protecting yourself against data breaches, check out the following articles:

Mobile Technology and the Rise of Healthcare Data Breaches

Data Breaches in the News: Why Practices Should Pay Attention
Protect Your Practice From Data Breaches