A 5-physician practice in Phoenix was the target of HHS Office of Civil Right’s (“OCR”) most recent enforcement action. The practice agreed to pay HHS a resolution amount of $100,000, as well as enter into a Corrective Action Plan, for its fialure to comply the most fundamental of HIPAA requirements. As I discussed at the April 25 webinar hosted by Maureen Corcoran and Daphne Saneholtz of Vorys Health Care Advisors LLC, this development is significant for two major reasons: First, the target of the investigation is a fairly small practice — not a large hospital; and second, there was no major breach of health information which prompted the action. No provider, large system or small community-based, can rest assured that it is somehow immune to HIPAA enforcement.
What Went Wrong?
The investigation and settlement were triggered by a report to HHS that the practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. OCR followed up with an extensive investigation and, according to Leon Rodriguez, director of OCR, it uncovered a
multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.
Specifically, the practice failed to:
- Implement adequate policies and procedures to appropriately safeguard patient information;
- Document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
- Conduct an assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the provider;
- Identify a security official; and
- Obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information.
The investigation uncovered staggering non-compliance for significant periods of time.
An Eye-Opening Enforcement
Unlike the HIPAA violations involving hospitals and stolen hard drives, unauthorized employee access, or patient information left on a subway, OCR chose to pursue (and make an example of) a small physician practice for violations of HIPAA. What this ultimately means is that no provider can put its head in the sand and ignore its legal obligations to protect both the privacy and security of patient information. Moreover, no longer can providers throw caution to the wind and hope to avoid OCR by simply avoiding the headline-grabbing breaches of sensitive patient information. OCR has made clear that it intends to aggressively enforce all aspects of the HIPAA Privacy and Security Rules, and no provider is immune from enforcement.
What Can you Learn?
It goes without saying that securing patient information and avoiding large-scale breaches is absolutely necessary for each and every provider. What is now more clear than ever is that all providers must also proactively assess their compliance with all other aspects of the HIPAA Privacy and Security Rules. Providers need to promptly develop a strategy and assemble a team to do the following:
- Perform an initial risk analysis of their current security practices.
- Based on the results of the analysis, implement adequate policies and procedures to appropriately safeguard patient information.
- Train employees on these policies and procedures on the Privacy and Security Rules.
- Document each of the above.