The Department of Health and Human Services (“HHS”) recently entered into a resolution agreement with a five-physician cardiac surgery practice that should be seen as a warning to any person or business that must comply with the Health Insurance Portability and Accountability Act (“HIPAA”).
In announcing the resolution agreement, HHS:
- directed all covered entities and business associates to review and update the practices and policies that govern their use and management of protected health information (“PHI”); and
- made it clear that significant monetary sanctions will be imposed on covered entities and business associates that violate HIPAA.
For anyone subject to HIPAA, this means that there is now even more reason to evaluate (i) your use and management of PHI and (ii) the privacy and security policies you adopted as part of your HIPAA compliance program.
Case That Provoked HHS’s Warning
On April 17, 2012, Phoenix Cardiac Surgery, P.C., a five-physician cardiac surgery practice with offices in Phoenix and Prescott, entered into a resolution agreement with HHS in which the practice agreed to pay a $100,000 civil penalty to resolve allegations that it had violated HIPAA’s Privacy and Security Rules. In that resolution agreement, Phoenix Cardiac Surgery, P.C. also agreed to implement a far-reaching and comprehensive corrective action plan designed by HHS’s Office of Civil Rights.
The allegedly improper conduct identified in the resolution agreement included the practice’s failure to:
- provide or document employee training on policies and procedures that were to be followed by employees handling PHI;
- implement appropriate and reasonable administrative and technical safeguards to protect the privacy of PHI;
- conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of PHI;
- appoint a security official; and
- obtain satisfactory assurances in business associate agreements that the privacy of PHI would be protected.
The resolution agreement also identified specific allegations of improper conduct relating to the privacy of electronic protected health information (“ePHI”). These allegations included the posting of clinical and surgery appointments on a publicly accessible, internet-based calendar and the transmission of ePHI to personal email accounts maintained by employees of Phoenix Cardiac Surgery, P.C.
Phoenix Cardiac Surgery, P.C. did not concur with any of the allegations made by the HHS in the resolution agreement or otherwise admit liability.
Corrective Plan Imposed
Under the terms of the corrective action plan, Phoenix Cardiac Surgery, P.C. agreed to:
- develop and maintain policies and procedures for the handling of PHI and ePHI, with the policies and procedures to be provided to HHS’s Office of Civil Rights for review and approval;
- distribute policies and procedures for the handling of PHI and ePHI to employees who use or disclose protected health information;
- require all employees who use or disclose protected health information to sign a compliance certification stating that employee has read, understands and shall
abide by the policies and procedures for the handling of PHI and ePHI;
- conduct an accurate and thorough assessment of risks and vulnerabilities to all ePHI created, received, maintained, used or transmitted;
- develop and implement a risk management plan to address risks and vulnerabilities to ePHI identified by the risk assessment, including risks and vulnerabilities associated with the transmission of ePHI in text messages that are transmitted to, from or stored on a portable device;
- appoint a security official who is responsible for the development and implementation of policies and procedures for the handling of PHI and ePHI;
- obtain satisfactory assurances in a written contract from each business associate that accesses, receives, maintains, stores or transmits ePHI; and
- implement security measures to guard against unauthorized access to ePHI transmitted over electronic communications networks, through encryption or otherwise.
While HHS has entered into corrective action plans with a number of small and mid-size medical practices who have allegedly violated HIPAA, the resolution agreement entered into with Phoenix Cardiac Surgery, P.C. is one of the first in which HHS has imposed a monetary penalty.
Importance of Reviewing Your HIPAA Obligations
A careful review of the resolution agreement entered into between Phoenix Cardiac Surgery, P.C. and the HHS may provide a helpful reminder for covered entities and business associates as they consider their obligations under HIPAA.
If Lewis and Roca LLP can be of assistance to your organization as it works to implement its responsibilities under HIPAA, please contact Gregory Y. Harris at firstname.lastname@example.org, Roy Kyle at email@example.com, or Peter R. Wand at firstname.lastname@example.org.
Additional information on Department of Health and Human Services’ enforcement activities can be found at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.
Information about the resolution agreement discussed in this Client Alert (along with a copy of the resolution agreement and corrective action plan) can be found at