News | April 19, 2012

Cardiac Surgery Center Pays $100,000 for HIPAA Violations Due to Patient Scheduler

April 19, 2012 - Phoenix Cardiac Surgery P.C., of Phoenix and Prescott, Ariz., has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard the protected health information of its patients.

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

The incident giving rise to OCR’s investigation was a report that the physician practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. On further investigation, OCR found that Phoenix Cardiac Surgery had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI).

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements
of the Privacy and Security Rules,” said Leon Rodriguez, director of OCR. “We hope that healthcare providers pay careful attention to
this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

OCR’s investigation also revealed the following issues:

  • Phoenix Cardiac Surgery failed to implement adequate policies and procedures to appropriately safeguard patient information;
  • Phoenix Cardiac Surgery failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;
  • Phoenix Cardiac Surgery failed to identify a security official and conduct a risk analysis; and
  • Phoenix Cardiac Surgery failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.


Under the HHS resolution agreement, Phoenix Cardiac Surgery has agreed to pay a $100,000 settlement amount and a corrective action
plan that includes a review of recently developed policies and other actions taken to come into full compliance with the Privacy and Security Rules.

Individuals who believe that a covered entity has violated their (or someone else’s) health information privacy rights or committed another violation of the HIPAA Privacy or Security Rule may file a complaint with OCR at: www.hhs.gov/ocr/privacy/hipaa/ complaints/index.html

The HHS Resolution Agreement can be found at: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/pcsurgery_agreement.pdf

For more information: www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/index.html.

Related Content

Lumedx Demonstrates Advanced Analytics at HIMSS18
News | Information Technology | February 20, 2018
February 20, 2018 – LUMEDX Corporation, a top cardiovascular data intelligence company, will show off the latest in a
ACC Unveils Innovation Roadmap for Future of Healthcare Delivery, the future of cardiology.
News | Information Technology | January 09, 2018
In a new health policy statement, the American College of Cardiology (ACC) identifies how to best support healthcare...
Nuance Restores Service to Majority of eScription Clients Following Malware Incident
News | Information Technology | July 28, 2017
Nuance Communications Inc. provided an update on its restoration process following the previously reported June 27,...
News | Information Technology | May 11, 2017
McKesson Imaging & Workflow Solutions, an industry leader in providing healthcare IT and imaging solutions, is...
ECRI Institute, top 10 patient safety concerns, 2017 report, information technology, healthcare
News | Information Technology | March 24, 2017
Safe implementation of new technologies and therapies accompany classic patient safety challenges on ECRI Institute's “...
Frost & Sullivan, Healthcare Industry Outlook 2017 analysis, information technology, healthcare IT
News | Information Technology | March 08, 2017
Despite global political uncertainties and a sluggish economic outlook for 2017, the global healthcare industry is set...
Mercy, HIMSS 2017, Enterprise Davies Award, health information technology
News | Information Technology | February 21, 2017
Mercy, the fifth largest Catholic healthcare system in the nation, was named a 2016 Healthcare Information and...
Frost & Sullivan, 18 technologies, growth opportunities, global healthcare, information technology, 2025
News | Information Technology | January 16, 2017
Frost & Sullivan has released a new report, “Vision 2025 – Future of Healthcare,” part of the company’s Advanced...
ACC, American College of Cardiology, Google search, heart conditions, Health Knowledge Graphs
News | Information Technology | September 23, 2016
A Google search for heart conditions will now prominently display important questions patients should ask their doctor...
HIE, health information exchanges, participation strategy, Binghamton University
News | Information Technology | August 18, 2016
The U.S. healthcare industry has failed to create and sustain an efficient network for storing and sharing patient...
Overlay Init