« Office manager embezzles from Texas physician office | Main | RVU physician compensation model »

May 01, 2012

Phoenix Cardiac Surgery HIPAA violations - a follow up

In this case, the OCR found that, on a daily basis, over a period of four years, Phoenix Cardiac Surgery had transmitted ePHI from an Internet-based email account to the personal Internet-based email accounts of workforce members, underscoring the risks posed to practices by the unregulated or unsupervised use of email for the transmission of ePHI.

Although Phoenix Cardiac Surgery is a small, non-institutional provider, i.e., a physician practice with just two owners, the OCR did not relieve the practice of its obligation to comply with the basic requirements of HIPAA. Instead, the OCR required the practice to pay $100,000 to settle the claims against it and to enter into a one-year corrective action plan (CAP). Pursuant to the terms of the CAP, the practice must develop policies and procedures that comply with the HIPAA Privacy and Security Rules, send them to OCR for approval and fully implement them within 30 days of OCR’s approval. The CAP also requires the practice to obtain a signed statement from every workforce member that he or she has read, understands and will abide by the policies and procedures. The CAP requires the practice to train all workforce members who use or disclose PHI regarding the policies and procedures within 60 days of OCR’s approval of the policies. During the term of the CAP, any violation of the policies and procedures must be reported to OCR, together with steps the practice intends to take to mitigate any harm and prevent recurrence.

OCR's expectation that providers should be in full compliance with the Security Rule - which went into effect seven years ago - is not surprising. This settlement highlights the need to treat security compliance as a continuous process involving regular assessments of the security environment, review of policies and procedures, and workforce training - FOR EVERY MEDICAL PRACTICE, LARGE, MEDIUM, SMALL, AND SOLO.

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d83451b7e869e20168eaf9c3a3970c

Listed below are links to weblogs that reference Phoenix Cardiac Surgery HIPAA violations - a follow up:

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.