Healthcare News & Insights

Practice fined $100,000 for posting appointments online

Healthcare organizations are required to protect a lot of sensitive information. That doesn’t just mean medical records — hospitals and doctors’ offices hold a lot of other data that contains protected health information. 

One example: information about patients’ appointments.

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, AZ, recently agreed to a $100,000 settlement with the U.S. Department of Health and Human Services (HHS) after being investigated for HIPAA violations.

It was discovered the practice was posting clinical and surgical appointments to an online calendar that could be viewed by the general public. Further investigation uncovered other problems with Phoenix Cardiac Surgery’s privacy practices, such as:

  1. Failure to implement policies and procedures to safeguard patient information
  2. Failure to document that the practice had trained employees on security policies and procedures
  3. Failure to identify a security official and conduct a risk analysis, and
  4. Failure to obtain business associate agreements with the web-based email and calendar services that held protected health information.

With the settlement, Phoenix Cardiac Surgery became the first small practice to enter into a resolution agreement with a monetary penalty over HIPAA violations, according to American Medical News. In addition to the financial penalty, the practice agreed to take corrective actions.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.