Cardiology Practice Settles Alleged HIPAA Violations with Payment of $100,000

Under a settlement agreement with the federal government, a cardiology practice in Arizona has agreed to pay $100,000 and implement a corrective actions plan for alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The Department of Health and Human Services Office for Civil Rights alleged that, among other violations, the cardiology group posted patients' protected health information (PHI) on a publicly accessible Internet-based calendar, did not provide and document employee training on handling of PHI, transmitted PHI to employees' personal email accounts, did not obtain satisfactory assurances in its business associate agreements that the Internet-based calendar and email accounts used by the practice provided appropriate safeguards for PHI. In addition to the $100,000, the group also agreed to implement policies and procedures to ensure compliance with HIPAA, including conducting regular risk and vulnerability assessments for electronic PHI, putting technical safeguards in place to protect such information, and providing workforce training on HIPAA privacy and security policies.

Tip: Companies handling protected health information should ensure that they, and their business associates, have adequate policy-based and technical security measures in place to comply with HIPAA's privacy and security requirements. These measures include ensuring employees understand and follow the requirements of the law.