$100K HIPAA Breach due to Online Patient Calendars

Before publishing Protected Health Information on any public website it is vital that the medium is reviewed for security risks. If a website is owned or controlled by a third party or a cloud service is supplied, a signed business associate agreement must also be obtained before any information is posted.

It may seem simplistic to state that ePHI cannot be posted on publicly accessible websites; however it is an error that can easily be made if the staff has not been trained on the requirements of the Privacy Rule. Since online calendars and appointment systems also include PHI, these too must be reviewed to ensure they are HIPAA-compliant.

Using online services can improve efficiency but it cannot be at the cost of data security, as Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ recently found.

Some employees at the clinic were posting clinical and surgical appointments in the online calendar; however the server on which the calendar was hosted was open to the public and did not have the necessary security measures installed to protect the information stored.

The Department of Health and Human Services was told about the practice and its Office for Civil Rights conducted an investigation. It found that Phoenix Cardiac Surgery had been violating HIPAA Privacy and Security Rules by using the online calendar and had not put in place the policies and procedures to keep ePHI safe.

The extensive review also found uncovered a number of other HIPAA compliance issues and too little had been done to bring the practice in line with HIPAA regulations. Only some of the requirements of the HIPAA Privacy and Security Rules had been put in place and many privacy and security risks remained. There were also too few technical and administrative safeguards in place to safeguard data.

Phoenix Cardiac Surgery has now agreed a settlement with the OCR for $100,000 for the HIPAA breaches and must also put in place a comprehensive action plan to bring its IT systems, policies and procedures up to date with current HIPAA regulations.

In the announcement of the settlement, OCR director Leon Rodriguez Stated “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.”

The OCR identified four key areas where HIPAA had been breached:

  • Inadequate security measures put in place to protect patient information
  • Lack of documentation showingstaff had received training on HIPAA Privacy and Security Rules
  • Failure to obtain a security official and conduct a thorough risk analysis
  • No business agreements had been completed with the providers of internet E-mail and calendar services; a requirement under HIPAA as the service involved storing ePHI