On April 17, 2012, the U.S. Department of Health and Human Services (HHS) announced a Resolution Agreement with a five-physician practice, Phoenix Cardiac Surgery, P.C. (Practice). This agreement requires the Practice to pay $100,000 to resolve a HIPAA violation charge, and to implement a corrective action plan. The Office of Civil Rights (OCR), which enforces HIPAA, alleged that the practice had disclosed electronic protected health information (ePHI) on a publicly accessible Internet-based calendar, and had emailed ePHI to its employee’s personal Internet-based email accounts. Once having investigated the complaint, the OCR reviewed and found wanting the practice's HIPAA compliance for the preceding six years.
Small physician groups have largely flown under the radar when it comes to HIPAA compliance, but times are changing. The director of OCR specifically made this point in its press release on the settlement:
This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.
This is a wake-up call to all providers of health care services. Appropriate HIPAA policies, Business Associate Agreements with vendors who have access to protected health information, and workforce training are mandatory for all health care providers, regardless of size, that qualify as a "covered entity" under the regulations.