This article is more than 5 years old. Information may no longer be current.

HIPAA compliance is serious business

ByJeff Grant

Add topic to email alerts

Receive an email when new articles are posted on

Please provide your email address to receive an email when new articles are posted on .

Subscribe

Added to email alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

You've successfully added to your alerts. You will receive an email when new content is published.

Click Here to Manage Email Alerts

Back to Healio

We were unable to process your request. Please try again later. If you continue to have this issue please contact customerservice@slackinc.com.

Back to Healio

by Jeff Grant

This article was published as part of a blog series on electronic health records and the optometric practice.

You might have seen blog postings or articles I've written in the last year or so about HIPAA compliance and the fact that there really are "HIPAA police." I've warned practices for some time to take this subject very seriously, especially the EHR incentive requirement to perform a security risk analysis. Well, I have evidence for you that noncompliance can cost you a lot of money.

HHS just announced that they've settled a case with Phoenix Cardiac Surgery for lack of HIPAA safeguards. The action comes from an investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The investigation stemmed from online appointment services that left Patient Health Information (PHI) exposed and unsecure. Phoenix Cardiac Surgery, PC, of Phoenix and Prescott, Ariz., has agreed to pay a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

Among other issues, OCR's investigation revealed that Phoenix Cardiac Surgery failed to:

• implement adequate policies and procedures to appropriately safeguard patient information;
• document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
• identify a security official and conduct a risk analysis; and
• obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

So, let this be a warning to you and a guide about what the OCR would look for if you were ever on their radar.