On April 17, 2012, the Department of Health and Human Services (“HHS”) announced that it had reached a settlement with Phoenix Cardiac Surgery, P.C. (the “Practice”) arising from potential violations of the Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). This is the first Resolution Agreement under HIPAA involving a freestanding physician practice.
This action arose out of a report to HHS that the Practice was posting clinical appointments for its patients on a publicly accessible Internet-based calendar. The HHS Office for Civil Rights (“OCR”) investigated the report and found that the Practice had failed to adequately implement several requirements under the HIPAA Privacy and Security Rules. In particular, OCR found that the Practice failed in its HIPAA compliance in the following ways:
- The Practice did not implement adequate policies and procedures to appropriately safeguard protected health information (“PHI”).
- The Practice did not provide and document training of each workforce member on required HIPAA policies and procedures.
- The Practice did not implement required administrative and technical safeguards under the HIPAA Security Rule by designating a security official or conducting a risk analysis.
- The Practice did not enter into business associate agreements in all required instances.
As a result, HHS, OCR and the Practice entered into a Resolution Agreement whereby the Practice agreed to pay HHS a $100,000 settlement payment and to perform several obligations in a variety of areas, as follows:
- Policies and Procedures. The Practice is required to develop, maintain and revise, as necessary, written policies and procedures with respect to administrative safeguards, technical safeguards and workforce training.
- Administrative safeguards. The Practice must have policies that address the performance of risk assessments, particularly when PHI is utilized in Internet-based systems, accessed remotely or accessible on a portable device. The Practice must then implement a risk management plan to address risks identified in the risk assessment. The Practice also must have policies pertaining to the appointment of a security official, as well as obtaining satisfactory written assurances from business associates.
- Technical safeguards. The Practice must have access control and management policies that allow access to only those persons and programs that require access to PHI to perform their job functions and policies requiring encryption or other technical means of safeguarding electronic PHI on portable electronic devices. Notably, HHS made special mention that such policies should address safeguarding all portable devices that are used to access PHI, including devices not owned or issued by the Practice.
- Workforce training. The Practice is required to have policies detailing the training of all workforce members who use or disclose PHI, including management. Specific areas that must be covered by the policies include: security awareness, security reminders, guarding against malicious software, log-in monitoring and safeguarding passwords.
- Training. The Practice must train each workforce member who uses or discloses PHI on the HIPAA policies and procedures, obtain certification from each workforce member that the training was received and review and update such training at least annually and more often as needed.
- Reports. The Practice is required to submit an implementation report to HHS documenting compliance with the terms of the Resolution Agreement.
In the press release announcing this enforcement action, OCR Director Leon Rodriguez noted the significance of the multi-year, continuing failure of the Practice to comply with the Privacy and Security Rules. He also cautioned covered entities to pay careful attention to this Resolution Agreement and understand that since the Privacy and Security Rules have been in place for many years, “OCR expects full compliance no matter the size of a covered entity.” In light of this development, covered entities, regardless of size or type, should take the necessary steps to ensure that their HIPAA compliance programs are effective, including:
- Conducting a risk assessment to determine where vulnerabilities exist in current practices and systems;
- Reviewing policies and procedures affecting privacy and security to ensure that they are thorough and complete;
- Training workforce members who have access to PHI on the details of HIPAA policies and procedures;
- Ensuring that business associate agreements are in place with all third parties who have access to PHI in the course of providing services on behalf of the covered entity;
- Actively monitoring compliance, particularly when there is a material change in processes, personnel or functions; and
- Considering the use of encryption or other appropriate technical safeguards for all media and devices that store, transmit or maintain PHI, even if those devices are not owned or issued by the covered entity.
More information on this enforcement action, including the Resolution Agreement and the HHS press release, is available here.
Hall Render’s HIPAA Impact Series has provided in-depth analysis of HIPAA issues and developments since the passage of HITECH. Our HIPAA Impact Series may be accessed at www.hallrender.com/impact.
If you need additional information about HIPAA/HITECH, please contact Mark Swearingen at (317) 977-1458 or mswearingen@wp.hallrender.com or your regular Hall Render attorney.
