largest entities whose conduct affects a significant number of people. For example, on April 17, 2012, the OCR sent a strong signal to health-care providers that it intends to enforce the HIPAA Rules aggressively, and it does not intend to give a pass to small health-care providers or practices. HHS announced that it had entered into a $100,000 settlement and executed a resolution agreement with a physician practice with offices in Phoenix and Prescott, Arizona. The investigation was triggered by a report that the cardiology practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. However, the OCR investigation soon expanded into a full review of the entity’s HIPAA compliance. That review resulted in a series of findings, including the following: • The practice failed to implement adequate policies and procedures to safeguard protected health information appropriately.
• The practice failed to document that it had trained its employees regarding its privacy and security policies and procedures. • The practice failed to appoint a security official and to conduct a risk assessment. • The practice failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI. In announcing the settlement, Leon Rodriquez, director of OCR, strongly cautioned the healthcare provider community not to disregard HIPAA: “This case is significant because it highlights a multi-year, continuing failure on the part of this healthcare provider to comply with the requirements of the Privacy and Security Rules. We hope that healthcare providers pay careful attention to this resolution agreement and
understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.” The case clearly illustrates that the OCR has no intention of enforcing HIPAA differently when a provider is a small entity and is not sympathetic to health-care providers who have a history of non-compliance. a Kimberly J. Kannensohn , Esq., is a partner in the Health Care Department of McGuireWoods LLP. She focuses her practice on the provision of corporate and regulatory counseling to healthcare providers, including furnishing guidance to clients regarding HIPAA, the HITECH Act, and state data privacy laws. Amanda Enyeart, Esq., is an associate in the Healthcare Department of McGuireWoods LLP. She advises clients in connection with federal and state health-care laws and regulations, including HIPAA, the HITECH Act, and state data privacy laws.
SEPTEMBER 2013 O&P Almanac
35