Phoenix Cardiac Surgery, P.C, with offices in Phoenix and Prescott, Ariz., will pay a $100,000 fine and implement a corrective action plan under a resolution agreement with the HHS Office for Civil Rights following HIPAA privacy and security rule violations.

OCR began an investigation after learning that the physician practice was posting clinical and surgical appointments on an Internet-based calendar that was publicly accessible, according to an April 17 announcement from the agency. The investigation found that the practice had few policies and procedures to comply with the privacy and security rules.

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules,” OCR Director Leon Rodriguez said in the announcement.

In particular, according to OCR, the practice did not implement adequate policies and procedures, document employee training, identify a security officer, conduct a risk analysis, or obtain business associate contracts with Internet-based email and calendar services. The resolution agreement between OCR Phoenix Cardiac Surgery is available here.

Other organizations that have paid major fines to OCR following breaches include Blue Cross and Blue Shield of Tennessee ($1.5 million), UCLA Health System ($865,000), Massachusetts General Hospital ($1 million), Cignet Health ($4.3 million), Rite Aid ($1 million), CVS/pharmacy ($2.2 million) and Providence Health & Services ($100,000).

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access