A medical group practice based in Lakeland, Fla. must pay $500,000 to settle potential HIPAA violations and adopt a substantial corrective action plan after a data breach that could have affected more than 9,000 patients was discovered.
According to the Office for Civil Rights of the U.S. Department of Health and Human Services, between November 2011 and June 2012, Florida-based Advance Care Hospitalists (ACH), engaged the services of an individual who claimed to be part of Doctor’s First Choice Billings, Inc. The individual provided medical billing services to ACH using First Choice’s name and website, but (and here is where it gets interesting) without the knowledge or permission of First Choice’s owner.
It wasn’t until February 2014, that a local hospital notified ACH that patient information – including names, dates of birth and social security numbers – was viewable on First Choice’s website. ACH was able to identify at least 400 patients and asked First Choice to remove the information from its website. ACH then filed a breach notification report with OCR relating to the 400 individuals affected.Upon further investigation, ACH filed a supplemental report noting that another8,855 patients could also have had their protected health information identified.
An OCR investigation found that ACH never entered into a business associate agreement with the person it had contracted with to provide medical billing services (as required by HIPAA) and failed to adopt any policy requiring such an agreement until after the breach was discovered.
A HIPAA Business Associate Agreement is a contract between a covered entity and a business associate, or between a business associate and a contractor, that stipulates how Protected Health Information (PHI), can be used.
In addition, although it had been in business since 2005, ACH had not conducted a risk analysis or implemented security measures or other written HIPAA policies or procedures before 2014 – once again long after the alleged violations were discovered. HIPAA rules require entities to perform an accurate and thorough investigation of potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information.
As part of the corrective action obligations, within the next 120 days, ACH must provide OCR with an accounting of its business associates including names, description of services provided and date services began.
It must conduct an organization-wide analysis of security risks and vulnerabilities to include all electronic equipment, data systems, programs and applications controlled, administered, owned or shared by ACH or its affiliates. OCR will then review the risk analysis.
Within 90 days of approval of the risk analysis, ACH will then have to develop an organization-wide risk management plan to address and mitigate security risks and vulnerabilities identified in the risk analysis, including a timeline for implementation, evaluation and revision. OCR will then have to review and approve the plan.
It is important for healthcare providers to understand when a business associate agreement is required. A “business associate” is a person or entity, other than a member of the workforce of a covered entity, who performs functions or activities on behalf of, or provides certain services to, a covered entity that involves access by the business associate to protected health information. A “business associate” also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate.
This is the second settlement announced by OCR in the past month. As we recently wrote about, Allergy Associates settled for $125,000 after a physician disclosed the PHI of a patient to a television station.
Covered entities would be well-advised to ensure they are HIPAA compliant and have conducted rigorous risk analysis of their practice. The Health Law Offices of Anthony C. Vitale can assist with conducting risk analysis, as well as help to establish proper HIPAA rules and procedures and, if necessary, defend you should a breach occur.
Contact us for additional information at 305-358-4500 or send us an email to firstname.lastname@example.org let’s discuss how we might be able to assist you.