Risk
4/23/2012
11:25 AM
50%
50%

Online Calendar Mistakes Cost Doctors Group $100,000

HHS penalizes Phoenix Cardiac Surgery for violating HIPAA privacy regulations, including making patient appointments publicly available on the Internet.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Phoenix Cardiac Surgery has agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 for posting patient information on the Internet without adhering to federal privacy and security safeguards for personal health information.

The settlement with the Arizona physician practice follows an investigation by the HHS Office for Civil Rights (OCR) into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

The OCR investigation was sparked by a report that Phoenix Cardiac Surgery was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

Further investigations revealed that the physician practice implemented few policies and procedures to comply with the HIPAA privacy and security rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI).

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

Daniel Berger, president and CEO of Redspin, a company that provides IT risk assessments at hospitals and other medical facilities, told InformationWeek Healthcare that many physician practices quickly and easily adopt Internet-based applications without thinking that these tools could affect the privacy and security of a patient's digitized medical records.

"To an average doctor in a practice, an online calendaring application probably seems like a good productivity enhancement tool that is relatively innocuous," Berger said.

While describing the incident as an "egregious oversight," Berger also noted that many lessons can be learned from this unfortunate event. "It is a good reminder of the IT security knowledge gap that still exists, particularly among privately owned physician groups. There is an enormous amount of education left to do," Berger said. "The publicity that accompanies OCR enforcement actions raises awareness, but, to minimize these incidents in the future, a vast amount of education remains to be done at the physician level."

According to OCR director Leon Rodriguez, the case is significant because it highlights a multi-year, continuing failure on the part of Phoenix Cardiac Surgery to comply with the requirements of the HIPAA privacy and security rules.

"We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity," Rodriguez said in a statement.

According to the HHS resolution agreement, from July 2007 until February 2009, Phoenix Cardiac Surgery posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar, and from September 2005 until November 2009, the physician practice daily transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts.

OCR's investigation also revealed that during the period of time that Phoenix Cardiac Surgery used the Internet-based calendar, a number of actions that would have protected patient information were not taken, including:

-- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
-- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures regarding the HIPAA privacy and security rules;
-- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
-- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

In addition to paying $100,000, Phoenix Cardiac Surgery has agreed to a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the HIPAA privacy and security rules.

In a related story, last month HHS announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 million to settle potential HIPPA violations that involved the theft of 57 unencrypted computer hard drives that contained the protected health information of over 1 million individuals.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/18/2012 | 6:41:32 PM
re: Online Calendar Mistakes Cost Doctors Group $100,000
Why is the payment going to the federal government? It should be going to those patients whose privacy was violated.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.