By George F. Indest III, J.D., M.P.A., LL.M., Board Certified by The Florida Bar in Health Law
The United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Phoenix Cardiac Surgery (PCS) over alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) violations. The settlement was reached on April 17, 2012 and requires PSC to pay OCR $100,000 and enter into a one-year corrective action plan (CAP).
The Resolution Agreement and Corrective Action Plan can be viewed here.
Internet Calendar Postings Launched HIPAA Complaint Against PCS
OCR's investigation of PCS was launched in 2009 after a complaint was received. Click here to view a HIPAA complaint that you can file online. The complaint alleged that PCS had disclosed protected health information (PHI) on patients on the Internet. After investigating the complaint, the OCR alleged that PCS violated the HIPAA privacy and security rules. According to the OCR, PCS posted clinical and surgical appointments on a publicly accessible, Internet calendar. The OCR also alleged that PCS employees e-mailed protected health information to their personal e-mail accounts.
Furthermore, PCS allegedly did not have adequate administrative, physical and technical safeguards in place to protect patient data. The OCR alleged that PSC did not appoint a security officer as required by HIPAA or perform an accurate and thorough risk assessment, also required by HIPAA. The CAP required by the settlement will require PCS to implement policies to ensure full compliance with HIPAA's privacy and security rules.
Are You In Compliance with HIPAA?
The Health Insurance Portability and Accountability Act of 1996, sometimes referred to as the Kennedy-Kassenbaum Act, was enacted into law as Public Law (P.L.) 104-191, 110 Stat. 1936. Among its many different provisions, it included basic minimums to ensure the privacy of personal medical information. Its main privacy provisions are codified in federal law in different sections of the U.S. Code.
Medical Practices Should Use Caution When Working With Electronic Health Information
This case provides a good example of the downside of information technology (IT). While electronic health information assists in increasing accessibility and efficiency, it can also increase a practice's risk of violating HIPAA's Privacy Rule and Security Rule.
All medical practices that utilize electronic health information need to ensure that they have effective IT security, education, policies and procedures in place to protect themselves from HIPAA's violations.
Contact a Health Law Attorney Experienced in Defending HIPAA Complaints and Violations
The attorneys of The Health Law Firm represent physicians, medical groups, nursing homes, home health agencies, pharmacies, hospitals and other healthcare providers and institutions in investigating and defending alleged HIPAA complaints and violations and in preparing Corrective Action Plans (CAPs).
For more information about HIPAA violations, electronic health records or corrective action plans (CAPs) please visit our website at www.TheHealthLawFirm.com or call (407) 331-6620 or (850) 439-1001.
HHS Press Office. "HHS Settles Case with Phoenix Cardiac Surgery for Lack of HIPAA Safeguards." U.S. Department of Health and Human Services. (Apr. 17, 2012). Press Release. From
Lewis, Nicole. "Online Calendar Mistakes Cost Doctors Group $100,000." Information Week. (Apr. 23, 2012). From
Sterling, Robyn. "HHS Settlement for Lack of HIPAA Safeguards." Proskauer Privacy Law Blog. (Apr. 25, 2012). From
About the Author: George F. Indest III, J.D., M.P.A., LL.M., is Board Certified by The Florida Bar in Health Law. He is the President and Managing Partner of The Health Law Firm, which has a national practice. Its main office is in the Orlando, Florida, area. www.TheHealthLawFirm.com The Health Law Firm, 1101 Douglas Ave., Altamonte Springs, FL 32714, Phone: (407) 331-6620.
Tag words: HHS, Department of Health and Human Services, corrective action plan, CAP, HIPAA, HIPAA violation, HIPAA privacy complaint defense, HITECH, EHR, electronic health records, electronic protected health information, privacy and security rules, IT security, Office for Civil Rights, OCR