United States: On The Heels Of OCR Action Against A Private Practice, ONC Releases A Guide To Privacy And Security Of Health Information For Physicians

On April 29, 2012, the HHS Office of Civil Rights (OCR) announced that it entered into a settlement agreement with Phoenix Cardiac Surgery, P.C. (PCS), a private physician practice providing cardiothoracic surgery services in Arizona. As part of the settlement, PCS agreed to pay $100,000 to resolve the matter and enter into a Corrective Action Plan that will remain in effect for one year.

OCR began its investigation of PCS on February 19, 2009. While it is not abundantly clear, it appears from the Resolution Agreement that the investigation arose out of two complaints against PCS. As a direct result of the investigation, OCR found the following violations, among others: (1) PCS failed to provide and document the training of each workforce member for 6 years; (2) PCS posted over 1,000 separate entries of ePHI on a publicly accessible internet-based calendar over a 2 year period; and (3) PCS transmitted ePHI from an internet-based email account to workforce members' personal internet-based email accounts on a daily basis. With respect to violations (2) and (3), OCR found that PCS failed to obtain satisfactory assurances by entering into business associates agreements with each of the companies that provided the internet-based calendar and the internet-based public email.

With its release of the Guide to Privacy and Security of Health Information on May 9, 2012, the Office of the National Coordinator (ONC), another division of HHS, demonstrates that HHS is getting more serious about privacy and security enforcement. The target audience for this Guide is medical practices, with ONC noting that compliance with the HIPAA Privacy and Security Rules is a core requirement of the CMS Meaningful Use incentive program.

Medical practices need to take this opportunity now to evaluate their compliance with the HIPAA Privacy and Security Rules. In its action against PCS, OCR made clear that if protected health information is shared through electronic means, satisfactory assurances are required. This means that, if an office uses e-mail, text messages, or other similar options to communicate with its patients or amongst each other, office management must ensure that proper business associate agreements are in place.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.