Phoenix Cardiac Surgery recently entered into a $100,000 settlement with the U.S. Department of Health & Human Services (HHS) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The settlement is the result of an investigation by the HHS Office for Civil Rights (OCR) after it received a complaint that Phoenix Cardiac Surgery had a publically available online calendar that included clinical and surgical appointments for its patients. The OCR investigation further revealed that the practice's HIPAA compliance was deficient in several other aspects, including implementation of policies and procedures to safeguard patient information, documentation of training employees on policies and procedures related to the Privacy and Security Rules, identification of a security official, completion of a risk analysis and failing to obtain business associate agreements for vendors of e-mail and calendar services that included storage of and access to electronic protected health information. In addition to the monetary settlement, Phoenix Cardiac Surgery will be required to take corrective action by implementing policies and procedures to safeguard its patients' protected health information with oversight by HHS.