Contributed by: Lee Kim, Esq.



The HHS Office for Civil Rights (OCR) received a report that a physician practice, Phoenix Cardiac Surgery (PCS), was posting clinical and surgical appointments for their patients on an Internet-based calendar that was publicly accessible.  OCR investigated and found that PCS  had implemented few policies and procedures to comply with the HIPAA Privacy and Security Rules, and had limited safeguards in place to protect patients’ electronic protected health information (ePHI). 

Phoenix Cardiac Surgery, P.C., of Phoenix and Prescott, Arizona, has agreed to pay the U.S. Department of Health and Human Services (HHS) a $100,000 settlement and take corrective action to implement policies and procedures to safeguard to protected health information of its patients. 

The settlement with the physician practice follows an extensive investigation by the HHS Office for Civil Rights (OCR) for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.

OCR’s investigation revealed the following issues, among others:

·        Failed to implement adequate policies and procedures to appropriately safeguard patient information; 

·        Failed to document that it trained any employees on its policies and procedures on the Privacy and Security Rules;

·        Failed to identify a security official and conduct a risk analysis; and

·        Failed to obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its ePHI.


For more information, please visit the following link:

Resolution Agreement and Corrective Action Plan