$100K HIPAA Breach due to Online Patient Calendars

by | Mar 17, 2012

Before publishing Protected Health Information on any public website it is vital that the medium is reviewed for security risks. If a website is owned or controlled by a third party or a cloud service is supplied, a signed business associate agreement must also be obtained before any information is posted.

It may seem simplistic to state that ePHI cannot be posted on publicly accessible websites; however it is an error that can easily be made if the staff has not been trained on the requirements of the Privacy Rule. Since online calendars and appointment systems also include PHI, these too must be reviewed to ensure they are HIPAA-compliant.

Using online services can improve efficiency but it cannot be at the cost of data security, as Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ recently found.

Some employees at the clinic were posting clinical and surgical appointments in the online calendar; however the server on which the calendar was hosted was open to the public and did not have the necessary security measures installed to protect the information stored.

The Department of Health and Human Services was told about the practice and its Office for Civil Rights conducted an investigation. It found that Phoenix Cardiac Surgery had been violating HIPAA Privacy and Security Rules by using the online calendar and had not put in place the policies and procedures to keep ePHI safe.

The extensive review also found uncovered a number of other HIPAA compliance issues and too little had been done to bring the practice in line with HIPAA regulations. Only some of the requirements of the HIPAA Privacy and Security Rules had been put in place and many privacy and security risks remained. There were also too few technical and administrative safeguards in place to safeguard data.

Phoenix Cardiac Surgery has now agreed a settlement with the OCR for $100,000 for the HIPAA breaches and must also put in place a comprehensive action plan to bring its IT systems, policies and procedures up to date with current HIPAA regulations.

In the announcement of the settlement, OCR director Leon Rodriguez Stated “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.”

The OCR identified four key areas where HIPAA had been breached:

  • Inadequate security measures put in place to protect patient information
  • Lack of documentation showingstaff had received training on HIPAA Privacy and Security Rules
  • Failure to obtain a security official and conduct a thorough risk analysis
  • No business agreements had been completed with the providers of internet E-mail and calendar services; a requirement under HIPAA as the service involved storing ePHI

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy