A five-physician practice became the first small practice to enter into a resolution agreement that included a civil money penalty over charges that it violated the Health Insurance Portability and Accountability Act Privacy and Security Rules. Enforcement Examples
The HHS Office for Civil Rights launched an investigation after a complaint was filed alleging that the practice was posting surgery and appointment schedules on an Internet-based calendar that was publicly accessible.
The investigation found that the practice failed to implement adequate policies and procedures to protect patient information; failed to document that it trained employees on HIPAA Privacy and Security Rules; failed to identify a security official within the practice and conduct a risk analysis; and failed to obtain any business associate agreements for its Internet-based email and scheduling services.
The practice agreed to pay $100,000 and take corrective actions. In announcing a resolution settlement with a cardiac surgery practice, the Dept. of Health and Human Services’ Office for Civil Rights issued a warning to doctors: No matter the size of your practice, you will be held accountable for HIPAA violations. Read the full story here http://www.ama-assn.org/amednews/2012/04/30/bisd0502.htm and http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.html.