Phoenix Cardiac Surgery of Phoenix and Prescott, Ariz., has agreed to pay HHS a $100,000 settlement for its failure to comply with HIPAA privacy and security rules. Phoenix Cardiac Surgery has also agreed take corrective action to implement policies and procedures to safeguard patient information. The HHS Office for Civil Rights investigated Phoenix Cardiac Surgery after a report surfaced that the physician practice was posting clinical and surgical appointments for its patients on a publicly accessibly Internet-based calendar.
The investigation found that Phoenix Cardiac had implemented limited policies to protect patient electronic health information violating HIPAA privacy and security rules in the following ways:
• Failure to implement adequate policies and procedures to appropriately safeguard patient information;
• Failure to document training of employees on policies and procedures in the HIPAA privacy and security rules;
• Failure to identify a security official and conduct a risk analysis;
• Failure to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage and access to its electronic patient health information.
More Articles on HIPAA:
HIMSS: Improved HIPAA Compliance Has Not Increased Data Security
Going "Social": Monitoring and Addressing HIPAA violations on Social Media
CMS to Hold Off Enforcement of HIPAA Version 5010 Standards Until March 2012
The investigation found that Phoenix Cardiac had implemented limited policies to protect patient electronic health information violating HIPAA privacy and security rules in the following ways:
• Failure to implement adequate policies and procedures to appropriately safeguard patient information;
• Failure to document training of employees on policies and procedures in the HIPAA privacy and security rules;
• Failure to identify a security official and conduct a risk analysis;
• Failure to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage and access to its electronic patient health information.
More Articles on HIPAA:
HIMSS: Improved HIPAA Compliance Has Not Increased Data Security
Going "Social": Monitoring and Addressing HIPAA violations on Social Media
CMS to Hold Off Enforcement of HIPAA Version 5010 Standards Until March 2012