OCR began an investigation after learning that the physician practice was posting clinical and surgical appointments on an Internet-based calendar that was publicly accessible, according to an April 17 announcement from the agency. The investigation found that the practice had few policies and procedures to comply with the privacy and security rules.
“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” OCR Director Leon Rodriguez said in the announcement.
In particular, according to OCR, the practice did not implement adequate policies and procedures, document employee training, identify a security officer, conduct a risk analysis, or obtain business associate contracts with Internet-based email and calendar services. The resolution agreement between OCR Phoenix Cardiac Surgery is available here.
Other organizations that have paid major fines to OCR following breaches include Blue Cross and Blue Shield of Tennessee ($1.5 million), UCLA Health System ($865,000), Massachusetts General Hospital ($1 million), Cignet Health ($4.3 million), Rite Aid ($1 million), CVS/pharmacy ($2.2 million) and Providence Health & Services ($100,000).