Cardiology Practice Punished for Improper IT Outsourcing

In a development which should be of interest to both healthcare organizations outsourcing IT functions and the companies which provide them, the US Department of Health and Human Services Office of Civil Rights (OCR, the HIPAA enforcement agency) and Phooenix Cardiac Surgery (PCS) just entered into a Resolution Agreement settling a number of HIPAA violations.  PCS agreed to pay $100,000 and undertake a Corrective Action Plan.

What I find particularly interesting were the violations PCS committed in using a third party email and calendar service for its workforce without a Business Associate Contract. The email and calendar items both included PHI, so a BAC was required. PCS also failed to appoint a security official, conduct a risk analysis or train its workforce. I tend to think that the former two failures contributed to the outsourcing violations, since a security official and a risk analysis both should have caught the outsourcing issue.

Unfortunately (for me, not PCS), the Resolution Agreement didn’t go into details about how HIPAA violations could be calculated. The failures to appoint a security official, conduct a risk analysis or have a BAC were all “continuing failures” which could be penalized on a violation-per-day basis, up to 365 days per year. Depending on the level of the violation, potential penalties could be a lot greater than $100,000, I expect. Of course, OCR reserves the right to seek penalties if PCS fails to comply with its Corrective Action Plan . . .