Small Surgery Practice Fined for HIPAA Violations

Small-practice doctors and solo practitioners beware: The small size of your practice won't save you from being fined for violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules. The Office for Civil Rights of the Department of Health and Human Services recently imposed a $100,000 civil penalty against a five-physician cardiac-surgery practice in Phoenix and Prescott, Arizona for HIPAA violations.

The Arizona surgery practice drew the attention of HHS when someone complained to the agency's Office for Civil Rights about the surgeons' website, which contained a publicly accessible Internet-based calendar that made patients' surgery schedules and appointment dates visible to anyone who visited the site. When agency representatives investigated the complaint, they discovered that the practice had failed to comply with a number of HIPAA requirements since the Act became effective in 2003.

The practice did not have adequate policies and practices in place to protect patients' records, and it failed to document HIPAA training for its employees. It had not designated an information-security official or analyzed its security risks, and it did not have adequate contracts in place with the vendors that administered its e-mail and calendaring service. In addition to paying the $100,000 fine, the owners agreed to take corrective action to remedy noncompliance.

Previously, small to mid-size practices had agreed to implement corrective action plans but avoided civil penalties. Speaking about this case, the director of the HHS Office of Civil Rights said: "OCR expects full compliance no matter the size of a covered entity."

Categories: Healthcare
Tags: HIPAA