Health and Human Services continues to crack down on covered entities that are failing to abide by HIPAA. Most of the news coverage is about large entities being fined millions for failing to protect their data. Most recently Alaska settled their HIPAA case with HHS for 1.7 million, however smaller entities are being targeted.
Phoenix Cardiac Surgery, a 5 person practice in Arizona agreed to pay $100,000 in civil money penalty along with taking corrective actions. Specifically HHS found the following:
- “Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.”
The overview of the case can be found on the HHS website.
A resource for HIPAA Security Rule compliance is provided by NIST 800-66 and is provided as an introductory guide. Additionally, practices should consider forming a relationship with third party organizations that specialize in compliance.