Privacy & Information Security Law Blog

In the past month, the Department of Health and Human Services (“HHS”) sent its final omnibus rule modifying the HIPAA Privacy, Security and Enforcement Rules to the White House Office of Management and Budget (“OMB”) and announced a $100,000 settlement with Phoenix Cardiac Surgery, P.C. for violations of the HIPAA Rules.

Final Omnibus Rule

On March 24, 2012, the OMB received for review HHS’s final omnibus rule entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.” The long-awaited Final Rule contains modifications that implement changes made by the Health Information Technology for Economic and Clinical Health Act (the “HITECH” Act), which was enacted in 2009. Among other modifications, the penalty provisions of the Security and Enforcement Rules now will apply directly to business associates, and the Privacy Rule’s definition of “marketing” will be revised to delineate which specific activities constitute marketing of protected health information (“PHI”). The omnibus final rule, which was originally proposed in July 2010, will be published after the OMB’s 90-day review period.

Settlement with Phoenix Cardiac Surgery

On April 17, 2012, HHS announced that it had entered into a Resolution Agreement that requires Phoenix Cardiac Surgery, P.C. to pay $100,000 to HHS and implement a Corrective Action Plan. The agreement followed an investigation by the HHS Office for Civil Rights (“OCR”) of a complaint that Phoenix Cardiac Surgery had improperly disclosed electronic protected health information (“EPHI”) by posting its patients’ surgical appointments on the Internet.

The Resolution Agreement alleges that Phoenix Cardiac Surgery committed repeated violations of the HIPAA Privacy and Security Rules, including failing to: (1) provide adequate HIPAA training to its workforce, (2) implement administrative and technical safeguards that would have prevented the posting of EPHI on publically available Internet calendars and the transmission of EPHI via Internet-based email accounts, (3) designate a HIPAA Security Official and (4) obtain satisfactory assurances from the providers of the Internet-based calendar and email programs that they would safeguard PHI.

In the Corrective Action Plan, Phoenix Cardiac Surgery agrees to develop a comprehensive set of HIPAA policies and procedures and to submit them to OCR for review and approval. After OCR has approved the policies and procedures, Phoenix Cardiac Surgery is required to implement them and train all members of its workforce who use or disclose PHI on their requirements. The Corrective Action Plan provides that the policies and procedures must include the following specific content: (1) a thorough assessment of the risks and vulnerabilities to EPHI, (2) a risk management plan to reduce any risks and vulnerabilities identified by the risk assessment, (3) the identification of a HIPAA Security Official, (4) satisfactory assurances that each business associate will safeguard EPHI pursuant to a contract that contains the HIPAA Privacy and Security Rule provisions required in business associate agreements, (5) technical safeguards that restrict access to EPHI, (6) technical measures to protect EPHI transmitted over an electronic communications network, including via text messaging, and (7) training, including security reminders and procedures for guarding against malicious software. Finally, the Corrective Action Plan requires Phoenix Cardiac Surgery to submit an Implementation Report to OCR within sixty calendar days after receiving OCR’s approval of the HIPAA policies and procedures.