Practice fined $100,000 for posting appointments online
Healthcare organizations are required to protect a lot of sensitive information. That doesn’t just mean medical records — hospitals and doctors’ offices hold a lot of other data that contains protected health information.
One example: information about patients’ appointments.
Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ, recently agreed to a $100,000 settlement with the U.S. Department of Health and Human Services (HHS) after being investigated for HIPAA violations.
It was discovered the practice was posting clinical and surgical appointments to an online calendar that could be viewed by the general public. Further investigation uncovered other problems with Phoenix Cardiac Surgery’s privacy practices, such as:
- Failure to implement policies and procedures to safeguard patient information
- Failure to document that the practice had trained employees on security policies and procedures
- Failure to identify a security official and conduct a risk analysis, and
- Failure to obtain business associate agreements with the web-based email and calendar services that held protected health information.
With the settlement, Phoenix Cardiac Surgery became the first small practice to enter into a resolution agreement with a monetary penalty over HIPAA violations, according to American Medical News. In addition to the financial penalty, the practice agreed to take corrective actions.
- Alaska DHSS fined $1.7 million after data breach
- Hard drive theft leads to $1.5 million fine for privacy violations
- First HIPAA fine for breach of less than 500 records announced
- Stolen laptop leads to $1.5 million HIPAA fine
- Medical Practice Management Software – Complete Guide
Below are a few free resources you may find useful.