A heart surgery group practice agreed to pay $100,000 to settle federal allegations that it chronically neglected standard HIPAA requirements such as risk assessment, training and business associate contracts, the U.S. Department of Health and Human Services announced.

HHS’ enforcement action against Phoenix Cardiac Surgery, P.C. (PCS), was triggered by a complaint that PCS was posting patient appointments on a publicly accessible Internet-based calendar. When it investigated, HHS’ Office for Civil Rights found that the five-physician group had implemented few policies or procedures to comply with HIPAA’s privacy and security rules, and had only limited safeguards on electronic protected health information, the agency alleged.

“This case is significant because it highlights a multi-year, continuing failure on the part of this provider to comply with the requirements of the privacy and security rules,” OCR Director Leon Rodriguez said in a statement released April 17. “The HIPAA privacy and security rules have been in place for many years, and OCR expects full compliance no matter the size of a covered entity.”

Like previous HIPAA “resolution agreements,” the PCS settlement imposes a detailed corrective action plan. In this case, PCS must prepare and submit policies and procedures for OCR approval and then, 60 days later, submit an “implementation report” that includes a risk analysis, a risk management plan and signed attestations that all employees have undergone the required training and certified compliance.

See the May issue of the Guide to Medical Privacy & HIPAA.