Precipitating Event: The physician practice was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible
From July 3, 2007 until February 6, 2009, XYZ Small Practice posted over 1,000 separate doctor appointments (PHI) on a publicly accessible, Internet-based calendar;
From September 1, 2005 until November 1, 2009, XYZ Small Practice daily transmitted PHI from an Internet-based email account to workforce members’ personal Internet-based email accounts.
From July 3, 2007 until December 3, 2009, XYZ Small Practice permitted the entity providing the Internet-based calendar application to receive, store, and maintain PHI on its behalf without obtaining satisfactory assurances in a business associate agreement with the entity.
From September 1, 2005 (when XYZ began sending PHI by email) until April 16, 2009, XYZ Small Practice failed to identify a security official;
From September 1, 2005 (when XYZ began sending PHI by email) until November 30, 2009, XYZ Small Practice failed to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the PHI held by XYZ Small Practice.
minor modifications for readibility
"failed to identify a security official"
No matter how large or small, every medical practice must designate a person to be in charge of HIPAA. ClinicNerds nicknamed this person the 'HIPAA Lifeguard' but the HIPAA Police call it a privacy or security or compliance official.
Ask Yourself: Has your clinic designated and documented a HIPAA Lifeguard?
"failed to conduct an accurate and thorough (risk) assessment"
No matter how large or small, every medical practice must conduct a risk assessment.
Ask Yourself: Has your clinic conducted and documented a risk assessment?
"without obtaining satisfactory assurances in a business associate agreement"
It is important to understand your 'software stack.' All the tools used by the workforce to get their job done. Some tool providers are 'mere conduits' while others store your PHI and thus need a Business Associate Agreement (BAA).
Ask Yourself: Do you know all the (electronic) places where your PHI travels?
One message that is loud and clear is that the HIPAA Police will fine small practices. XYZ Small Practice is a small practice. Just two locations in the same town and two doctors/owners.
This fine is also sending us some mixed messages. For a small practice, a $100,000 is pretty harsh. But the HIPAA Probation period is just 1 year, not the usual 3 years. This small practice had made little effort to comply with HIPAA. Maybe that is the reason for the mixed messages.
The legal agreement was signed in April 2012 but the improper activity occurred as far back as 2005. The length of the investigation and the size of the fine points to a contentious, drawn out legal negotiation. Legal fees probably exceeded the fine amount. Many small practices could not afford over $200k in unplanned expenses.
XYZ Small Practice has two locations. Each location needs a HIPAA Lifegurd. Each location needs a documented risk assessment. Each location needs location specific training.