Online Patient Calendars Cause $100K HIPAA Breach
Before posting Protected Health Information on any website it is essential that the medium is assessed for security risks. If a website is owned or maintained by a third party or a cloud service is provided, a signed business associate agreement must also be obtained before any information is posted.
It may seem obvious that ePHI cannot be posted on publically accessible websites; however it is a mistake that can easily be made if the staff has not been trained on the requirements of the Privacy Rule. Since online calendars and appointment systems also include PHI, these too must be assessed to ensure they are HIPAA-compliant.
Using online services can improve efficiency but it cannot be at the expense of data security, as Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ recently discovered.
Some members of staff at the clinic were posting clinical and surgical appointments in the online calendar; however the server on which the calendar was hosted was open to the public and did not have the necessary security systems installed to protect the information entered.
The Department of Health and Human Services was tipped off about the practice and its Office for Civil Rights conducted an investigation. It determined that Phoenix Cardiac Surgery had been breaching HIPAA Privacy and Security Rules by using the online calendar and had not implemented the policies and procedures to keep ePHI secure.
The extensive investigation also uncovered a number of other HIPAA compliance issues and too little had been done to bring the practice in line with HIPAA regulations. Only some of the requirements of the HIPAA Privacy and Security Rules had been implemented and many privacy and security risks remained. There were also too few technical and administrative safeguards in place to protect data.
Phoenix Cardiac Surgery has now arrived at a settlement with the OCR for $100,000 for the HIPAA violations and must also implement a comprehensive action plan to bring its IT systems, policies and procedures up to date with current HIPAA regulations.
In the announcement of the settlement, OCR director Leon Rodriguez said “This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the Privacy and Security Rules.”
The OCR found four key areas where HIPAA had been violated:
- Inadequate safeguards put in place to protect patient information
- Lack of documentation proving staff had received training on HIPAA Privacy and Security Rules
- Failure to identify a security official and conduct a thorough risk analysis
- No business agreements had been signed with the providers of internet E-mail and calendar services; a requirement under HIPAA as the service involved storing ePHI