Small practices and small practice records management strategies can no longer ignore HIPAA without penalty. On April 17, Phoenix Cardiac Surgery entered a resolution agreement over allegations of violations of the Health Insurance Portability and Accountability Act Privacy and Security Rules (HIPAA). Consisting of five-physicians, Phoenix Cardiac Surgery ultimately agreed to pay $100,000 in penalties, as well as take corrective actions.
Violations involving small practice records management
So, what prompted these punishments, and why is this case significant? To begin, a variety of violations resulted in Phoenix Cardiac Surgery’s $100,000 fine. It failed to document any training of employees on its policies of the Privacy and Security Rules, it never identified a security official or conducted a risk analysis for records management, and its policies did not appropriately safeguard patient information. In terms of HIPAA violations, these violations were fairly typical. Holes in policies involving training and records management are commonplace with the increased scrutiny HIPAA has placed on practices. Practices are still adjusting to the new obstacles digital records pose for potential privacy violations and recordkeeping. Of course, this doesn’t mean that firms can get away with these shortcomings.
But what makes this case special when compared to other similar cases? Interestingly, the practice in question posted patient appointments on a publicly-available, internet-based calendar. The name of the online calendar service was not indicated, but it likely similar to the Google Calendar app. Yikes. This undoubtedly breaches privacy and records management regulations. The practice essentially broadcasted patient data to anybody with internet access. By not using a private digital calendar, this practice did not keep its patients’ confidential information private, demonstrating the growing pains practices face when embracing digital records in the face of HIPAA regulation.
Further significance of the violations
This case is significant for more than the digital calendar violation. In fact, it is the first monetary penalty leveraged against a mid or small-sized practice due to HIPAA violations. Mid or small-sized practices had only been punished with “corrective plans” before. This meant that these practices were given the equivalent of a slap on the wrist regarding records privacy breaches. In short, this action firmly asserts that practices of all sizes must comply with HIPAA, or face the same punitive sanctions large practices are subject to. Additionally, the online, public calendar that was singled out by the investigation means that online tools are coming under increased scrutiny because of their public nature. This includes online apps as well as social media, since it doesn’t get much more public than social media!
Looking ahead and for solutions
This dual expansion of HIPAA’s focus to small and mid-size practices as well as to digital records privacy spells trouble for those practices that do not already have the appropriate policies in place. Small and mid-size firms normally don’t have quite the resources or corporate protocol that larger practices do to respond to the rapidly evolving nature of health records. But, with HIPAA nipping at the heels of small and mid-size practices, such policies must be drafted.
A part of any compliant digital records management strategy is an archiving solution. And with the move to social media, the need to archive these social media records is clear. Help make sure your practice is HIPPA ready. ArchiveSocial is extremely easy to use, cost-effective, and tailored for secure social media records archiving.