Do you think a two-physician cardiology group is too small for the feds to fine for  alleged HIPAA violations? Phoenix Cardiac Surgery, P.C.  (PCS) has learned otherwise the hard way, to the tune of $100,000. As this blog has noted, almost all enforcement to date has been against large insurers or major hospitals and not community hospitals or physician practice groups,  and  enforcement has largely been low-hanging fruit of failure to comply on a timely basis with notice requirements.  The Resolution Agreement, announced by HHS in an April 17 press release, describes a very different participant in the Parade of HIPAA Breaches we have been following in this blog series.  Among the unusual features of this settlement are:

• The type of  covered entity – a two-physician cardiology practice;
• The  alleged  nature of the violation – not just a one-time negligent breach, but a systematic, multi-year failure to adopt and implement appropriate HIPAA safeguards; and 
• The size of the violation – as the breach has yet to appear on the OCR Wall of Shame, it may have involved  fewer than 500 individuals. 

Phoenix Cardiac Surgery first came to the attention of HHS’s Office of Civil Rights following a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. That alone is not unique – other covered entities including SAIC and Stanford University Hospital have been embarrassed to discover their PHI had been inadvertently made available online to prying eyes. What OCR found upon further investigation was a startling indifference to health privacy concerns dating back to the earliest effective dates of HIPAA and continuing through 2009. 

OCR determined that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). The Resolution Agreement indicates that PCS was unusually lax about HIPAA training, policies and procedures, safeguards, and accountability.  It is almost a textbook case of everything a covered entity can do wrong. OCR alleged that PCS:

• did not provide and document training of each workforce member on required policies and procedures with respect to PHI as necessary and appropriate for each workforce member to carry out his/her function within the Covered Entity.
• posted over 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar over a two year period;
• transmitted ePHI daily from an Internet-based email account to workforce members’ personal Internet-based email accounts.
• failed to appoint a security official until 2009.
• failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the ePHI held by PCS.
• failed to obtain satisfactory assurances in business  associate agreements from the Internet-based calendar vendor and from the Internet-based public email provider that these entities would appropriately safeguard the ePHI received from PCS.
• permitted the entity providing the Internet-based calendar application to receive, store, and maintain ePHI on  behalf of PCS without obtaining satisfactory assurances in a business associate agreement with the entity.  

OCR imposed a $100,000 penalty and required PCS to adopt a Corrective Action Plan which appears as Appendix A to the Resolution Agreement. The plan requires PCS to

• Develop, maintain and revise, as necessary, written policies and procedures that meet the requirements of the HIPAA Privacy and Security Rules, and submit them to OCR for review and approval within 60 days;
• Make any changes required by OCR and implement the finalized policies and procedures within 30 days of approval.
• Distribute the policies and procedures to all members of the workforce within 15 days of their joining PCS‘s workforce, and obtain certification from each member that they have read, understood and will abide by such policies and procedures;
• Update its 2009 risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI when it is created, received, maintained, used or transmitted by the Covered Entity, including, but not limited to, when ePHI is a) posted to an Internet-based electronic calendaring system, b) transmitted over an Internet-based electronic communications system, c) accessed remotely, or d) transmitted to or from or stored on a portable device;
• Develop and submit a risk management plan to OCR for approval.
•  Appoint a security official;
• Produce satisfactory assurances that all business associates will comply with HIPAA;
• Adopt  technical safeguards for electronic information systems;
• Implement technical security measures to guard against unauthorized access to ePHI transmitted over an electronic communications network, including a measure to encrypt or otherwise adequately safeguard ePHI;
• Provide and document comprehensive privacy and security training to its workforce;
• Report all violations of the policies and procedures by any member of the workforce to OCR within 30 days;

OCR also reserves the right to impose additional civil monetary penalties in the event of a breach of the Corrective Action Plan that is not cured within 30 days.

In essence, the Corrective Action Plan requires PCS to do what it should have done all along to comply with HIPAA, but with the added intrusion and inconvenience of government oversight analogous to the Corporate Integrity Agreements frequently required in settlements of Medicare fraud and other federal false claims allegations. For Phoenix Cardiac Surgery, this is one march that provides no aerobic benefits.

If OCR is trying to send a message that no covered entity is too small to be penalized, they picked a particularly clear and egregious first case. However, that is no assurance that less pervasive compliance failures will continue to fly under the OCR radar.