Online Patient Calendars Bring about $100K HIPAA Violation
Prior to displaying Safeguarded Health Info on any website, it’s necessary that the method is evaluated for safety dangers. If a website is maintained or owned by a 3rd party or a cloud service is offered, an authorized business associate contract should also be obtained prior to any info is publicized.
It might appear obvious that ePHI can’t be publicized on freely accessible websites; nevertheless, it’s a fault that can simply be made if the staff hasn’t been educated on the conditions of the Privacy Rule. Because online calendars, as well as appointment systems also contain PHI, these too should be evaluated to make sure they are HIPAA-compliant.
Utilizing online services can increase efficiency however it can’t be at the cost of data safety, as recently discovered by Prescott, AZ and Phoenix Cardiac Surgery, P.C., of Phoenix.
A few associates of staff at the clinic were publicizing surgical and clinical appointments in the online calendar, but the computer network on which the calendar was put was open to the general public and didn’t have the required security systems installed to safeguard the info submitted.
The Division of Health and Human Services was supplied with confidential information regarding the routine and its Office for Civil Rights carried out an inquiry. It concluded that Phoenix Cardiac Surgery had been violating HIPAA Security and Privacy Laws by utilizing the online calendar and had not applied the procedures and policies to keep ePHI protected.
The wide-ranging investigation also revealed many other HIPAA compliance problems and practically nothing had been done to take the practice in accordance with HIPAA rules. Just a few of the prerequisites of the HIPAA Security and Privacy Rules had been applied and a number of security and privacy dangers continued. There were also very few administrative and technical safeguards set up to safeguard data.
Now Phoenix Cardiac Surgery has reached at an agreement with the OCR for $100,000 for the HIPAA breaches and should also put into effect a complete action plan to bring its procedures, policies and IT systems up to date with existing HIPAA rules.
In the declaration of the agreement, Leon Rodriguez, OCR director said, “This case is important since it underlines a multi-year, ongoing failure by this provider to abide by the necessities of the Security and Privacy Regulations.”
The OCR found 4 main areas where HIPAA had been breached:
- No business contracts had been initialed with calendar services and the providers of internet E-mail; a condition under HIPAA as the service involved keeping ePHI
- Failure to pinpoint a security officer as well as carry out a comprehensive risk analysis
- Lack of certification confirming staff had received training on HIPAA Security and Privacy Rules
- Insufficient safeguards set up to defend patient information