Because so few organizations have been penalized for failing to comply with HIPAA, many healthcare organizations, especially smaller ones, figured they could get away with paying scant attention to compliance with the HIPAA privacy and security rules.
That's why this week's announcement of sanctions against a small physician group practice in Arizona is so noteworthy. The practice didn't experience a headline-grabbing major breach. But when federal authorities received a complaint about what looked like a HIPAA violation, they launched what turned into a three-year investigation culminating in a $100,000 penalty and a corrective action plan.
So if you work at a small clinic or hospital and have been struggling to gain support for a HIPAA compliance program, be sure to share this enforcement tale with your top executives.
A Lengthy Investigation
The Department of Health and Human Services' Office for Civil Rights began its investigation of Phoenix Cardiac Surgery P.C. in February 2009 when it received a report that the practice was posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible. The OCR investigation determined the practice had implemented few policies and procedures to comply with the HIPAA privacy and security rules and had limited safeguards in place to protect patients' information.
The corrective action plan resulting from the investigation includes, among other measures, conducting a risk assessment and implementing appropriate policies and procedures, which are two fundamental HIPAA compliance steps that the practice had yet to take.
"This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules," says Leon Rodriquez, OCR director. He stresses that OCR expects HIPAA compliance "no matter the size of a covered entity."
So if you think your organization can stay under the radar because it's relatively small, think again. The Phoenix practice lists five physicians on its website. And now it faces a substantial financial penalty as well as ongoing federal scrutiny.
When he became OCR director last fall, Rodriguez made a point of emphasizing his plans to ramp up HIPAA enforcement. But OCR investigations take a long time, typically two years or more. So while it may take a while, it's inevitable that we'll see a lot more announcements from OCR about HIPAA violation settlements. They may involve big breaches or just a pattern of non-compliance.
Among other issues, OCR's investigation revealed the following issues:
- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
- Phoenix Cardiac Surgery failed to obtain business associate agreements with internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.
Healthcare Compliance Pros offers a complete compliance program. If you are following that program (policies and procedures and the online training program) you will not have any problems passing an audit or investigation into your compliance. Many of our clients have already had an audit and/or an investigation and have found this to be true.