Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/23/2012
11:25 AM
50%
50%

Online Calendar Mistakes Cost Doctors Group $100,000

HHS penalizes Phoenix Cardiac Surgery for violating HIPAA privacy regulations, including making patient appointments publicly available on the Internet.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Phoenix Cardiac Surgery has agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 for posting patient information on the Internet without adhering to federal privacy and security safeguards for personal health information.

The settlement with the Arizona physician practice follows an investigation by the HHS Office for Civil Rights (OCR) into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

The OCR investigation was sparked by a report that Phoenix Cardiac Surgery was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

Further investigations revealed that the physician practice implemented few policies and procedures to comply with the HIPAA privacy and security rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI).

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

Daniel Berger, president and CEO of Redspin, a company that provides IT risk assessments at hospitals and other medical facilities, told InformationWeek Healthcare that many physician practices quickly and easily adopt Internet-based applications without thinking that these tools could affect the privacy and security of a patient's digitized medical records.

"To an average doctor in a practice, an online calendaring application probably seems like a good productivity enhancement tool that is relatively innocuous," Berger said.

While describing the incident as an "egregious oversight," Berger also noted that many lessons can be learned from this unfortunate event. "It is a good reminder of the IT security knowledge gap that still exists, particularly among privately owned physician groups. There is an enormous amount of education left to do," Berger said. "The publicity that accompanies OCR enforcement actions raises awareness, but, to minimize these incidents in the future, a vast amount of education remains to be done at the physician level."

According to OCR director Leon Rodriguez, the case is significant because it highlights a multi-year, continuing failure on the part of Phoenix Cardiac Surgery to comply with the requirements of the HIPAA privacy and security rules.

"We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity," Rodriguez said in a statement.

According to the HHS resolution agreement, from July 2007 until February 2009, Phoenix Cardiac Surgery posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar, and from September 2005 until November 2009, the physician practice daily transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts.

OCR's investigation also revealed that during the period of time that Phoenix Cardiac Surgery used the Internet-based calendar, a number of actions that would have protected patient information were not taken, including:

-- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
-- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures regarding the HIPAA privacy and security rules;
-- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
-- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

In addition to paying $100,000, Phoenix Cardiac Surgery has agreed to a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the HIPAA privacy and security rules.

In a related story, last month HHS announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 million to settle potential HIPPA violations that involved the theft of 57 unencrypted computer hard drives that contained the protected health information of over 1 million individuals.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/18/2012 | 6:41:32 PM
re: Online Calendar Mistakes Cost Doctors Group $100,000
Why is the payment going to the federal government? It should be going to those patients whose privacy was violated.
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
A Lawyer's Guide to Cyber Insurance: 4 Basic Tips
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  7/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10100
PUBLISHED: 2019-07-18
Dolibarr 7.0.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: allow malitious html to change user password, disable users and disable password encryptation. The component is: Function User password change, user disable and password encryptation. The attack vector is: admin access ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change admin password. The component is: http://127.0.0.1/settings/password/ http://127.0.0.1/admin/users/add.php http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector ...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can add the administrator account. The component is: http://127.0.0.1/admin/users/add.php. The attack vector is: After the administrator logged in,...
CVE-2019-10100
PUBLISHED: 2019-07-18
domainmod(https://domainmod.org/) domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). The impact is: There is a CSRF vulnerability that can change the read-only user to admin. The component is: http://127.0.0.1/admin/users/edit.php?uid=2. The attack vector is: After the administrato...
CVE-2016-10762
PUBLISHED: 2019-07-18
The CampTix Event Ticketing plugin before 1.5 for WordPress allows CSV injection when the export tool is used.