I recently attended the 2013 Health Law Institute Minnesota Continuing Legal Education two-day seminar. One of the topics covered was “Significant New HIPAA Developments – A Report from the U.S. HHS Office of the General Counsel.” Jerome Meites from the Chicago HHS office of the General Counsel spoke on this topic.

Scheduling More Convenient For Patients, But Ignoring HIPPA Proved Costly

Mr. Meites highlighted the April, 2012 settlement by a Phoenix-based clinic (Phoenix CS for this article) with HHS. The U.S. Department of Health and Human Services settled its investigation of the Prescott, Arizona medical practice by imposing a $100,000 civil penalty to resolve allegations that the medical practice had violated HIPAA’s Privacy and Security Rules.

The incident that gave rise to the initial investigation was the medical practice posting of clinical and surgical appointments for its patients on an internet-based calendar that could be accessed by the public. Per the HHS news release, the investigation also revealed the following issues:

  • Phoenix CS failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix CS failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix CS failed to identify a security official and conduct a risk analysis; and
  • Phoenix CS failed to obtain business associate agreements with internet-based email and calendar services where the provision of the service included storage of and access to its electronic Personal Health Information.

The Phoenix CS case is significant in that it demonstrates that HHS and its enforcement arm, the Office of Civil Rights (OCR), will not hesitate to investigate security complaints because of the entity size. Phoenix CS was a two-physician practice according to the speaker.

Need more info?

DS+B has a significant presence in the Minneapolis/St. Paul Minnesota Metropolitan Area providing tax and accounting services to the medical community. We are available to consult with medical service providers regarding their Personal Health Information data handling practices and procedures. A review of the practice’s basic security steps and implementation of data security training to reinforce the PHI breach risks should be considered.

Please contact your engagement partner to discuss these matters further. You can also contact us to develop a specific plan of action to help minimize your PHI security breach risks.


Disclaimer: All content provided in this article is for informational purposes only, and is subject to change. Contact a DS+B professional before using or acting on any information provided in this article