Phoenix Cardiac Surgery of Phoenix and Prescott Arizona have agreed to pay HHS a $100,000 settlement and take corrective actions to implement policies and procedures to safeguard protected health information for their patients.
The settlement with the physician practice follows an investigation by the HHS Office for Civil Rights (OCR) for potential violations of HIPAA privacy and security rules. The OCR’s investigation reported that the physician practice was posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible.
Further investigation revealed Phoenix Cardiac Surgery failed to:
- Implement adequate policies and procedures to appropriately safeguard patient information
- Document that it trained employees on its policies and procedures on the Privacy and Security Rules
- Identify a security official and conduct a risk analysis
- Obtain business associate agreements with internet-based email and calendar services when the service included storage of and access to its electronic protected health information
Go to www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html for more information concerning enforcement activities.