In a statement that should send a chill down the spine of every healthcare provider in the United States, the Department of Health and Human Services (HHS) Director of the Office for Civil Rights (OCR) Leon Rodriguez warned America’s doctors and nurses, “We hope that health care providers pay careful attention to this resolution agreement and understand that the HIPAA Privacy and Security Rules have been in place for many years, and OCR expects full compliance no matter the size of the covered entity.” A five-physician cardiac surgery group in Arizona got the message and a bill for non-compliance.

On April 17, 2012 HHS announced it had settled its investigation into Phoenix Cardiac Surgery with a fine of $100,000 and an agreement by the practice to implement corrective actions. The investigation was triggered by an individual’s complaint to the OCR and led to an in depth scrutiny of Phoenix Cardiac’s HIPAA practices.

So what were the surgeon’s sins? According to HHS’s press release announcing the settlement, the primary failure was “posting clinical and surgical appointments for its patients on an Internet-based calendar that was publicly accessible.” The group failed to get business associate agreements with its Internet vendors. Indeed, the practice had no policy and procedures for patient information safeguard, had no audit mechanism to identify HIPAA risks, had no training for its employees on Privacy and Security Rules, and had no security officer. Why did they fail the government’s mandate so badly?

One answer: perhaps they were more focused on the practice of medicine and the surgical care of their patients. While we have no knowledge of Phoenix Cardiac Surgery’s clinical skills or patient outcomes, their biographies suggest more than adequate medical education and surgical training. Most doctors do not see compliance with another set of governmental regulations on a tangential administrative aspect of care as a priority. The HIPAA laws were passed in 1996 and added the burden of another unfunded mandate on the backs of medical practices.

So another answer is that Phoenix Cardiac, like so many practices in the US, did not have the resources or skill set to create policies and procedures on Privacy and Security Rules. As a consequence, its employees did not have formal training in privacy, and no security officer was hired. Perhaps no one was alert to the need of business associate agreements with every vendor who may have any personal information on patients. In other words, the practice failed to deliver what HSS wanted. Whether they delivered quality care to their patients is an entirely different question.

What is the take away message here? As a society, we are continually asking “Why is medical care so expensive?” We struggle to come up with cogent answers, and like to point to all kinds of demographic statistics. Perhaps we should examine HHS’s resolution agreement with the small Phoenix group more closely. There is a lot of administrative cost added here by governmental fiat, and it adds nothing to clinical care. Who is paying?

The government is certainly not, but they are trying to convince us all that they are the solution. After all, they are the big Medicare payers, they are making the rules, and they are hiring the investigators to ferret out these healthcare providers that are not following privacy rules.

The insurers are not. They are laying off their costs to the medical practices, which spend half of their overhead on coding, billing, and collection.

The answer? We all are. A tax disguised in a mandate’s clothing. Doctors beware: the government is coming.