Smith, Gambrell & Russell, LLP Smith, Gambrell & Russell, LLP

Menu Search

Experience

  • Industries
  • Services
  • Professionals

Resources

  • SGR Insights
  • News & Events
  • Client Access

About

  • The Firm
  • Careers
  • Contact
  • SGR Alumni
Share
  • Home
  • Newsletters
  • ERISA Newsletter
  • Inadequate HIPAA Safeguards Results in $100,000 Settlement

Inadequate HIPAA Safeguards Results in $100,000 Settlement

May 15, 2012

The Department of Health and Human Services (HHS) recently entered into a $100,000 settlement with a small cardiac surgery group to resolve potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.  The investigation began when the HHS Office for Civil Rights (OCR) received a report that the surgery group’s clinical and surgical appointments were available to the public on an Internet-based calendar.

Potential Violations.  During the investigation, OCR discovered the surgery group had failed to:

  • Implement adequate policies and procedures to appropriately safeguard protected health information (PHI);
  • Document that it trained employees with access to PHI on its policies and procedures to comply with the HIPAA privacy and security rules;
  • Identify a security official and conduct a risk assessment of the potential risks, vulnerabilities, and threats to electronic PHI (ePHI); and
  • Obtain business associate agreements with Internet-based email and calendar service providers whose services included the storage of, and access to, the surgery group’s ePHI.

In addition to the $100,000 settlement amount, the surgery group agreed to take corrective action to implement policies and procedures to safeguard PHI and comply with the privacy and security rules.

Impact on Group Health Plans.  As explained in our recent HRBenefits Authority, OCR Privacy and Security Audits, OCR is currently auditing up to 150 health plans, health care providers and health care clearing houses as a part of a pilot program designed to ensure compliance with the HIPAA privacy and security rules.  Audits that reveal potential or major compliance violations may result in separate compliance reviews and penalties for compliance failures.

In order to minimize the risk of penalties for compliance failures, group health plans may wish to conduct an internal HIPAA compliance audit to identify potential risks and ensure:

  • The plan’s HIPAA policies and procedures are up to date and being properly administered;
  • Members of the plan’s workforce with access to PHI have been trained on the policies and procedures and the training has been properly documented; and
  • The plan has entered into business associate agreements with Internet or email service providers, who provide storage of, or access to, the plan’s ePHI.

Contact Information.  For more information from Mazursky Constantine, please contact Amy Heppner (404.888.8825) or Kelly Meyers (404.888.8838).  For more information from VCG Consultants, please contact Leslie Schneider (770.863.3617).

 

Please click here for a PDF of this newsletter.

 

Smith, Gambrell & Russell, LLP

SGRLAW®

Experience

  • Industries
  • Services
  • Professionals

Resources

  • SGR Insights
  • News & Events
  • Client Access

About

  • The Firm
  • Careers
  • Contact
  • SGR Alumni

Notices

  • Site Terms
  • Privacy Policy
  • Cookies Policy
  • Transparency In Coverage Rule

Languages

  • Español
  • Deutsch
  • 한국어
  • 日本語
  • 中文
  • Visit our Twitter profile
  • Visit our LinkedIn page
  • Visit our YouTube channel
  • Chambers and Partners Best Law Firms
Search
Remote Access

© 2026 Smith, Gambrell & Russell, LLP

  • Facebook
  • Twitter
  • LinkedIn
  • More Networks
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Powered by Social Snap
Copy link
CopyCopied
Powered by Social Snap
This website uses cookies to improve functionality and performance. If you continue browsing the site, you are giving implied consent to the use of cookies on this website.