HIPAA Fine Violation Spotlight

Private Physician Group charged for not securing a BAA.

Advanced Care Hospitalists (ACH) of west central Florida agreed to pay $500,000 to the Office for Civil Rights (OCR) as settlement for potential violations of the HIPAA Privacy and Security Rules. ACH provides contracted internal medicine physicians to hospital and nursing homes and has been in business since 2005.

Between November 2011 and June 2012 ACH worked with an individual who claimed to be a representative of Florida-based company Doctor’s First Choice Billings, Inc. This individual provided medical billing services to ACH using the name and website of Doctor’s First Choice Billings, yet allegedly did so without the knowledge or permission of First Choice’s owners.

Problems arose when a local hospital notified ACH that patient information was viewable on First Choice’s website, including name, date of birth, and social security number. ACH subsequently identified 400 patients who were affected and filed a breach notification report on April 11, 2014. After more investigation, however, they filed a supplemental breach report revealing that a total of 9,255 patients could have been affected.

The following OCR investigation revealed two very troubling things. First, ACH never entered into a Business Associates Agreement (BAA) with the individual who handled their medical billing as is required by HIPAA law. In fact, they failed to adopt any policy requiring business associate agreements until April 2014, after the breach report was filed. Because no BAA was obtained, ACH is responsible and liable for every breach fine levied because of this event. Second, the OCR found that between 2005 and 2014, ACH had never conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures. Essentially, ACH chose to completely ignore the HIPAA Rules, and never moved to implement the required policies until after a breach had occurred and patient data was exposed.

The fact that ACH blatantly ignored the rules they were meant to be following surely contributed to the final financial settlement amount they agreed to pay.

A fine like this highlights what is almost the worst position to put your practice in; willful non-compliance. And the worst part is that it’s the patients who were hurt by having their data exposed. Not to mention that the individual handling the billing was not even a reputable employee of the company he claimed to represent, and the data could have been stolen for other more nefarious ends. To prevent a breach and fine like this, a practice need only have written HIPAA policies and procedures and implement them to the best of their ability, including obtaining BAAs from ALL third-party vendors who have access to protected health information. Healthcare Technology Advisors gladly assists clients in not only performing security risk assessments but navigating the whole journey of compliance. Visit our compliance solution page for more information.