Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/23/2012
11:25 AM
50%
50%

Online Calendar Mistakes Cost Doctors Group $100,000

HHS penalizes Phoenix Cardiac Surgery for violating HIPAA privacy regulations, including making patient appointments publicly available on the Internet.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Phoenix Cardiac Surgery has agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 for posting patient information on the Internet without adhering to federal privacy and security safeguards for personal health information.

The settlement with the Arizona physician practice follows an investigation by the HHS Office for Civil Rights (OCR) into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

The OCR investigation was sparked by a report that Phoenix Cardiac Surgery was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

Further investigations revealed that the physician practice implemented few policies and procedures to comply with the HIPAA privacy and security rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI).

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

Daniel Berger, president and CEO of Redspin, a company that provides IT risk assessments at hospitals and other medical facilities, told InformationWeek Healthcare that many physician practices quickly and easily adopt Internet-based applications without thinking that these tools could affect the privacy and security of a patient's digitized medical records.

"To an average doctor in a practice, an online calendaring application probably seems like a good productivity enhancement tool that is relatively innocuous," Berger said.

While describing the incident as an "egregious oversight," Berger also noted that many lessons can be learned from this unfortunate event. "It is a good reminder of the IT security knowledge gap that still exists, particularly among privately owned physician groups. There is an enormous amount of education left to do," Berger said. "The publicity that accompanies OCR enforcement actions raises awareness, but, to minimize these incidents in the future, a vast amount of education remains to be done at the physician level."

According to OCR director Leon Rodriguez, the case is significant because it highlights a multi-year, continuing failure on the part of Phoenix Cardiac Surgery to comply with the requirements of the HIPAA privacy and security rules.

"We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity," Rodriguez said in a statement.

According to the HHS resolution agreement, from July 2007 until February 2009, Phoenix Cardiac Surgery posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar, and from September 2005 until November 2009, the physician practice daily transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts.

OCR's investigation also revealed that during the period of time that Phoenix Cardiac Surgery used the Internet-based calendar, a number of actions that would have protected patient information were not taken, including:

-- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
-- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures regarding the HIPAA privacy and security rules;
-- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
-- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

In addition to paying $100,000, Phoenix Cardiac Surgery has agreed to a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the HIPAA privacy and security rules.

In a related story, last month HHS announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 million to settle potential HIPPA violations that involved the theft of 57 unencrypted computer hard drives that contained the protected health information of over 1 million individuals.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/18/2012 | 6:41:32 PM
re: Online Calendar Mistakes Cost Doctors Group $100,000
Why is the payment going to the federal government? It should be going to those patients whose privacy was violated.
Major Brazilian Bank Tests Homomorphic Encryption on Financial Data
Kelly Sheridan, Staff Editor, Dark Reading,  1/10/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Post a Comment
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3686
PUBLISHED: 2020-01-17
openQA before commit c172e8883d8f32fced5e02f9b6faaacc913df27b was vulnerable to XSS in the distri and version parameter. This was reported through the bug bounty program of Offensive Security
CVE-2019-3683
PUBLISHED: 2020-01-17
The keystone-json-assignment package in SUSE Openstack Cloud 8 before commit d7888c75505465490250c00cc0ef4bb1af662f9f every user listed in the /etc/keystone/user-project-map.json was assigned full "member" role access to every project. This allowed these users to access, modify, create and...
CVE-2019-3682
PUBLISHED: 2020-01-17
The docker-kubic package in SUSE CaaS Platform 3.0 before 17.09.1_ce-7.6.1 provided access to an insecure API locally on the Kubernetes master node.
CVE-2019-17361
PUBLISHED: 2020-01-17
In SaltStack Salt through 2019.2.0, the salt-api NEST API with the ssh client enabled is vulnerable to command injection. This allows an unauthenticated attacker with network access to the API endpoint to execute arbitrary code on the salt-api host.
CVE-2019-19142
PUBLISHED: 2020-01-17
Intelbras WRN240 devices do not require authentication to replace the firmware via a POST request to the incoming/Firmware.cfg URI.