Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

4/23/2012
11:25 AM
50%
50%

Online Calendar Mistakes Cost Doctors Group $100,000

HHS penalizes Phoenix Cardiac Surgery for violating HIPAA privacy regulations, including making patient appointments publicly available on the Internet.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Phoenix Cardiac Surgery has agreed to pay the U.S. Department of Health and Human Services (HHS) $100,000 for posting patient information on the Internet without adhering to federal privacy and security safeguards for personal health information.

The settlement with the Arizona physician practice follows an investigation by the HHS Office for Civil Rights (OCR) into potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

The OCR investigation was sparked by a report that Phoenix Cardiac Surgery was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.

Further investigations revealed that the physician practice implemented few policies and procedures to comply with the HIPAA privacy and security rules, and had limited safeguards in place to protect patients' electronic protected health information (ePHI).

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

Daniel Berger, president and CEO of Redspin, a company that provides IT risk assessments at hospitals and other medical facilities, told InformationWeek Healthcare that many physician practices quickly and easily adopt Internet-based applications without thinking that these tools could affect the privacy and security of a patient's digitized medical records.

"To an average doctor in a practice, an online calendaring application probably seems like a good productivity enhancement tool that is relatively innocuous," Berger said.

While describing the incident as an "egregious oversight," Berger also noted that many lessons can be learned from this unfortunate event. "It is a good reminder of the IT security knowledge gap that still exists, particularly among privately owned physician groups. There is an enormous amount of education left to do," Berger said. "The publicity that accompanies OCR enforcement actions raises awareness, but, to minimize these incidents in the future, a vast amount of education remains to be done at the physician level."

According to OCR director Leon Rodriguez, the case is significant because it highlights a multi-year, continuing failure on the part of Phoenix Cardiac Surgery to comply with the requirements of the HIPAA privacy and security rules.

"We hope that healthcare providers pay careful attention to this resolution agreement and understand that the HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity," Rodriguez said in a statement.

According to the HHS resolution agreement, from July 2007 until February 2009, Phoenix Cardiac Surgery posted more than 1,000 separate entries of ePHI on a publicly accessible, Internet-based calendar, and from September 2005 until November 2009, the physician practice daily transmitted ePHI from an Internet-based email account to workforce members' personal Internet-based email accounts.

OCR's investigation also revealed that during the period of time that Phoenix Cardiac Surgery used the Internet-based calendar, a number of actions that would have protected patient information were not taken, including:

-- Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
-- Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures regarding the HIPAA privacy and security rules;
-- Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
-- Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.

In addition to paying $100,000, Phoenix Cardiac Surgery has agreed to a corrective action plan that includes a review of recently developed policies and other actions taken to come into full compliance with the HIPAA privacy and security rules.

In a related story, last month HHS announced that Blue Cross Blue Shield of Tennessee (BCBST) agreed to pay $1.5 million to settle potential HIPPA violations that involved the theft of 57 unencrypted computer hard drives that contained the protected health information of over 1 million individuals.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NJ Mike
50%
50%
NJ Mike,
User Rank: Apprentice
5/18/2012 | 6:41:32 PM
re: Online Calendar Mistakes Cost Doctors Group $100,000
Why is the payment going to the federal government? It should be going to those patients whose privacy was violated.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment:   It's a PEN test of our cloud security.
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7245
PUBLISHED: 2020-01-23
Incorrect username validation in the registration processes of CTFd through 2.2.2 allows a remote attacker to take over an arbitrary account after initiating a password reset. This is related to register() and reset_password() in auth.py. To exploit the vulnerability, one must register with a userna...
CVE-2019-14885
PUBLISHED: 2020-01-23
A flaw was found in the JBoss EAP Vault system in all versions before 7.2.6.GA. Confidential information of the system property's security attribute value is revealed in the JBoss EAP log file when executing a JBoss CLI 'reload' command. This flaw can lead to the exposure of confidential information...
CVE-2019-17570
PUBLISHED: 2020-01-23
An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue...
CVE-2020-6007
PUBLISHED: 2020-01-23
Philips Hue Bridge model 2.X prior to and including version 1935144020 contains a Heap-based Buffer Overflow when handling a long ZCL string during the commissioning phase, resulting in a remote code execution.
CVE-2012-4606
PUBLISHED: 2020-01-23
Citrix XenServer 4.1, 6.0, 5.6 SP2, 5.6 Feature Pack 1, 5.6 Common Criteria, 5.6, 5.5, 5.0, and 5.0 Update 3 contains a Local Privilege Escalation Vulnerability which could allow local users with access to a guest operating system to gain elevated privileges.