The Department of Health and Human Services Office for Civil Rights launched an investigation of Phoenix Cardiac Surgery's data privacy and security practices after receiving reports that the physician group posted patients' protected health information (PHI) on a publicly available internet-based calendar, HHS said in an April 17 news release. Phoenix Cardiac Surgery is a covered entity under HIPAA.
Among the specific violations OCR said its investigation uncovered:
• From April 2003 until October 2009, the practice did not provide and document employee training on policies and procedures for handling PHI.
• From July 2003 until February 2009, the practice posted more than 1,000 separate entries of electronic PHI (ePHI) on a publicly accessible, internet-based calendar.
• From September 2005 until November 2009, the practice transmitted, daily, ePHI from an internet-based email account to workforce members' personal email accounts.
• From September 2005 until November 2009, the practice failed to conduct a thorough analysis of the risk and vulnerabilities to ePHI.
“We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” --Leon Rodriguez, HHS Office for Civil Rights
As part of the correction action plan, Phoenix Cardiac Surgery agreed to implement policies and procedures to comply with the HIPAA Privacy and Security Rules, including:
The resolution agreement is available HERE
To view additional stories from Bloomberg Law® request a demo now