Small medical practices who think they don’t need to worry about HIPAA privacy and security compliance had better think again. On April 17, 2012, the United States Department of Health and Human Services (“HHS") announced that its Office of Civil Rights (“OCR") had reached a settlement with Phoenix Cardiac Surgery, P.C. requiring the practice to pay a $100,000 fine for its “multi-year, continuing failure … to comply with the requirements of the Privacy and Security Rules." Phoenix Cardiac Surgery is a five-physician practice in Phoenix, Arizona. The practice was posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible. In addition, the practice had failed to implement even the most basic requirements of the Privacy and Security Rules – such as appointing a security official or adopting basic policies and procedures to appropriately safeguard patient information.
A review of the HHS website on which OCR posts examples of its enforcement actions reveals that most of the examples involve large hospitals, national drugstore chains, and large health insurance companies.
The list of private practices facing enforcement actions appears to be growing, however. Surprisingly, many of the enforcement actions cited on the website deal with a private practice’s misunderstanding of the patient’s right to access his or her own medical records. For example:
· A practice refused to honor an individual's request for a complete copy of her minor son's medical record.
· A practice, apparently at the direction of an insurance company that had requested an independent medical exam of an individual, denied that individual a copy of the medical record of the exam.
· A practice improperly billed a patient a $100.00 “records review fee" in connection with the patient’s request for a copy of his medical record.
· A practice denied an individual access to his records on the basis that a portion of the individual's record was created by a physician not associated with the practice.
· A physician requested that patients sign an agreement entitled “Consent and Mutual Agreement to Maintain Privacy." The agreement prohibited the patient from directly or indirectly publishing or airing commentary about the physician, his expertise, and/or treatment in exchange for the physician’s compliance with the Privacy Rule.
· A private practice physician denied a patient access to her medical records because the patient had an outstanding balance for services the physician had provided.
Each of these cases arose out of a complaint filed with the OCR by an individual patient. And each of these cases involves one of the most basic provisions of the Privacy Rule.
Physicians, dentists and other private providers would be well advised to take another look at their practices to ensure that they have the necessary policies and procedures in place to comply with HIPAA. The recent experience of Phoenix Cardiac Surgery, P.C. should serve as a warning that OCR is not only investigating those complaints brought against large health insurers and drug store chains, but that complaints against small, private practices are going to be investigated and prosecuted as well.