Phoenix Cardiac Surgery, P.C. (the "PC") is a professional practice owned by two physicians in Phoenix, AZ. An investigation by the HHS Office for Civil Rights was triggered by a report that the PC was posting clinical and surgical appointments for its patients on an internet-based calendar that was publicly accessible. The investigation revealed a number of violations of HIPAA requirements:
The PC did not provide and document training of workforce members from 2003 to 2009.
From 2005 (when PC began sending ePHI by email) to 2009, the PC did not have in place appropriate safeguards to protect PHI and, in that time period, the PC posted 1,000 separate entries of ePHI on a publicly-accessible internet-based calendar and daily transmitted ePHI to workforce members' internet-based email accounts.
From 2005 to 2009, PC did not identify a security official.
From 2005 to 2009, the PC did not conduct an assessment of risks to the confidentiality, integrity and availability of ePHI.
From 2005 to 2009, the PC did not obtain satisfactory assurances from its internet-based email provider regarding security and confidentiality and, from 2007 to 2009, it did not obtain satisfactory assurances from its internet-based calendar provider.
As announced by OCR on April 17, 2012, in order to resolve the open investigation, the PC agreed to pay $100,000 to the OCR and to implement a corrective action plan. The $100,000 payment is not allocated to any particular element of the above items, but any of them could be a reasonably anticipated oversight by a well-intentioned, but busy, small practice. The OCR investigation addressed periods prior to the implementation of the HITECH Act, and therefore, data breach notification was not implicated.
Given OCR's increased attention to enforcement, even small providers must be sure that they systematically cover the minimum basic requirements under HIPAA, or they may be required to make substantial payments to OCR to resolve complaints and investigations