Big money penalties for routine HIPAA violations are becoming an everyday reality for health care providers. On April 11, Phoenix Cardiac Surgery, a cardiology practice in Arizona entered into a settlement agreement with the Department of Health and Human Services Office for Civil Rights (OCR) in which it agreed to pay $100,000 and implement a corrective action plan. The OCR began an investigation of the surgical practice after it received complaints from patients that the practice was posting their protected health information (PHI) on a publicly available internet-based calendar.

The government's investigation revealed a number of specific HIPAA violations by the practice, including:

  • From 2003 to 2009, the practice did not provide nor did it document training of its workforce members with policies and procedures on handling PHI.
  • From 2007 to 2009, the practice posted over 1,000 entries of PHI on a publicly accessible, internet-based calendar.
  • From 2005 to 2009, the practice transmitted daily PHI from an internet-based e-mail account to workforce members' personal internet-based e-mail accounts.
  • From 2005 to 2009, the practice failed to identify a security official.

The OCR has been actively investigating covered entities, including health care providers and health care insurers, for violations of HIPAA's privacy protections, and recent changes in the law allow for significant monetary penalties for even unintentional violations. Covered entities are required, not only to come into compliance with HIPAA's regulations, but also to monitor their own compliance efforts on an ongoing basis.

In light of the stepped-up compliance investigations and increased penalties, both covered entities and business associates are encouraged to revisit their HIPAA compliance programs to make sure they are up to speed.