An investigation by the HHS Office of Civil Rights (OCR) found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with HIPAA rules and had limited safeguard in place to protect patients’ electronic protected health information (ePHI).
In addition, Phoenix Cardiac Surgery failed to document training for employees on its HIPAA policies and procedures and failed to identify a security official responsible for protection of patient information or conduct a risk analysis, OCR concluded.
Also, the office found that Phoenix Cardiac Surgery did not obtained business associate agreements with Internet-based email and calendar services about storage of and access to ePHI.
“This case is significant because it highlights a multiyear, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules. We hope that health care providers pay careful attention to this resolution agreement and understand that HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of the covered entity”, said OCR Director Leon Rodriguez.