After an intensive investigation, the Office of Civil Rights (OCR) found that insufficient safeguards had been implemented to protect the privacy and security of patients’ electronic protected health information (ePHI). “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”
Aside from the publicly accessible Internet calendar, OCR identified 5 major ways that the group failed to comply with HIPAA privacy and security:
- Lack of policies and procedures to safeguard the privacy and security of ePHI
- Lack of training for staff on HIPAA regulations
- Failure to identify a security officer
- Failure to conduct an assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI
- Failure to obtain necessary Business Associate Agreements (BAA) from 3rd parties with access to ePHI
These five items can easily occur at any practice and further show the urgency that organizations need to have when correcting their HIPAA compliance deficiencies. This should speak volumes to rest of the healthcare community. Ignorance is no longer an acceptable excuse for failing to comply with HIPAA regulations and OCR is making sure, with each and every investigation, that everyone is clear on that fact. Not only does this group have to pay a substantial settlement, but they also have agreed to implement a Corrective Action Plan (CAP) to resolve their HIPAA issues. (Read my blog about CAPs) That implementation may cost thousands of dollars in administrative costs as well as the revenue hit they are sure to see from the negative press. A quick Google search for “Phoenix Cardiac Surgery” will return with 6 of the first 10 entries being press releases about this HIPAA settlement.
You may be thinking that $100,000 seems a bit harsh for a penalty, but fines can be upwards of $1.5 million annually for HIPAA breaches due to willful neglect. In reality, Phoenix Cardiac Surgery may have gotten off a little easy compared to some of the other CAPs that have been assigned to hospitals and payers for breaches. Regardless of the size of your organization, it is critical that you adopt the mentality that ignorance does not absolve you from these regulations. “I didn’t know” will not let you off the hook; instead it will prove that there was willful neglect. It is your responsibility as a covered entity to know the regulations and implement the appropriate safeguards. Don't become the next OCR press release.