The Office for Civil Rights, which is the arm of the Department of Health and Human Services that enforces HIPAA privacy and security rules, recently announced the settlement of an enforcement action against a small cardiothoracic surgery practice. The practice reportedly posted protected health information (PHI) on an internet-based publically accessible calendar and transmitted PHI from corporate e-mail accounts to workforce personal accounts. The entity had not identified a security officer nor conducted a security risk assessment or otherwise met its HIPAA obligations.
OCR required the entity to pay $100,000 as a fine and to comply with a corrective action plan. That action plan requires the entity to perform a risk assessment and develop a plan, including appropriate policies and procedures, to protect and secure PHI. The plan must address security measures sufficient to reduce risks and vulnerabilities to PHI in text messages – an indication that unsecured text messages can also be a HIPAA violation.
This enforcement action shows that even small covered entities must comply with HIPAA and that the enforcement agencies are not limiting their investigations to large institutions.