On Tuesday, April 17, 2012, the United States Department of Health and Human Services (HHS) announced that it settled HIPAA violations alleged against Phoenix Cardiac Surgery, P.C. The practice has agreed to pay a $100,000 settlement amount and implement a corrective action plan to come into full HIPAA compliance under agency oversight. The conduct giving rise to HHS’ enforcement action involved the physicians’ reliance on an Internet-based, publicly available calendar that reflected identifiable patient appointment information. The HHS press release describing the settlement is available here.

Upon receiving a complaint, HHS initiated a compliance review that uncovered multiple, long term failures by the practice to implement HIPAA. Many of the violations cited are unrelated to the initial complaint, signaling the type of comprehensive review that has become increasingly common following an individual complaint. For example, HHS specifically noted the practice’s failure to conduct a risk analysis, as mandated by the Security Rule, although that lapse does not directly bear on the practice’s use of the calendar that led to the complaint.

This case is the first significant HIPAA enforcement action involving a physician practice (multiple resolutions with penalties of $865K-$2.25M have been reached in recent years with other types of HIPAA covered entities). The settlement provides a clear picture of the results physician practices can expect if a HIPAA complaint causes the agency to investigate and uncover general failure by the practice to implement the dozens of provisions contained in the HIPAA Privacy and Security Rules.

Leon Rodriguez, director of the Office of Civil Rights (OCR) stated, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” In other words, even small businesses with limited funds have been given plenty of time and notice to come into compliance. The agency is no longer willing to show those small businesses leniency, which represents a significant shift in their approach to past compliance reviews.

To assist physician practices understand the importance of HIPAA compliance, Poyner Spruill LLP, an NCMS partner, is developing a toolkit of all HIPAA policies and procedures.  The toolkit will be available following issuance of HHS’ final HITECH rules.