The federal Office of Civil Rights (OCR) made the point that even small medical offices are not immune from HIPAA enforcement in April when a Phoenix cardiology office was fined $100,000 for HIPAA violations stemming from an online calendar system that exposed patient information.
Among the other elements cited were a failure to provide and document training on office privacy policies and procedures, using insecure email to communicate PHI to employees’ private email accounts, failure to conduct a thorough risk analysis, and failure to get adequate assurances of compliance from the business associate company that provided the online services in issue.
This situation highlights a common issue that healthcare providers typically fail to consider the HIPAA implications of off-the-self or online services other than EMR applications.