Monday, May 14, 2012

Internet Calendar Postings at the Center of Alleged HIPAA Privacy Violation Settlement

By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law

A physician group has reached a settlement with the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012. It requires Phoenix Cardiac Surgery (PCS) to pay OCR $100,000. PCS is also required enter into a one-year corrective action plan (CAP). The Resolution Agreement and Corrective Action Plan can be viewed here.

HIPAA Complaint Resulted from Internet Calendar Postings.
OCR's investigation of PCS was launched after a complaint was received in 2009. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PSC disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules.

According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts. Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PCS did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA's privacy and security rules.

Are You In Compliance with HIPAA?


The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.

Health Providers Must be Cautious When Working With Electronic Health Information.
This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice's risk of violating HIPAA's Privacy Rule and Security Rule. All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA's violations.

Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations.

The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).

For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at http://www.thehealthlawfirm.com/ or call (407) 331-6620 or (850) 439-1001.

Sources Include:

HHS Press Office. "HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards." U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From http://www.hhs.gov/news/press/2012pres/04/20120417a.html

Lewis, Nicole. "Online Calendar Mistakes Cost Doctors Group $100,000." Information Week. (Apr. 23, 2012). From http://www.informationweek.com/news/healthcare/security-privacy/232900727

Sterling, Robyn. "HHS Settlement for Lack of HIPAA Safeguards." Proskauer Privacy Law Blog. (Apr. 25, 2012). From http://www.jdsupra.com/post/documentViewer.aspx?fid=e548966a-d7eb-4f47-a0af-de15db487dbb/

About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. http://www.thehealthlawfirm.com/ The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.