By Anna Kraus

The Department of Health and Human Services (HHS) announced on Tuesday that Phoenix Cardiac Surgery, P.C. (Phoenix) agreed to pay $100,000 and implement a corrective action plan to come into full compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).  HHS had been investigating the Arizona physician practice for potential violations of the HIPAA Privacy and Security Rules.

The investigation began when HHS received a report that Phoenix was posting clinical and surgical appointments for patients on an Internet-based calendar that was accessible by the public.  Upon further investigation, HHS determined that the physician practice had, among other things, failed to:

  • implement appropriate and reasonable administrative and technical safeguards to protect the privacy of protected health information (PHI)
  • identify a security officer and conduct the risk assessment required by the HIPAA Security Rule
  • enter into business associate agreements with its Internet-based calendar provider and Internet-based public e-mail provider
  • document that it trained any employees on HIPAA policies and procedures

Under the resolution agreement, Phoenix agreed to pay a $100,000 settlement and to comply with a corrective action plan.  The plan requires Phoenix to, among other things: develop, implement, and distribute specific HIPAA policies and procedures to address the conduct discovered through the investigation; provide training on those policies and procedures to all workforce members who use or disclose PHI; and notify HHS if any workforce members have violated those policies and procedures.

This settlement comes on the heels of HHS’s announcement, in March, that it settled a HIPAA case against Blue Cross Blue Shield of Tennessee (BCBST) for $1.5 million.  That case—the first arising from a breach report required by the HIPAA Breach Notification Rule—involved a reported theft of 57 unencrypted hard drives containing the PHI of over 1 million individuals.  The Phoenix and BCBST settlements are further evidence that HIPAA enforcement actions are increasing, and HHS will expect full compliance from covered entities and business associates.