A Florida-based contractor physician group will pay $500,000 to settle alleged HIPAA violations after data on more than 9,000 patients was posted online.
Advanced Care Hospitalists PL (ACH), which provides internal medicine doctors to hospitals and nursing facilities, has also agreed to a corrective action plan as part of the HIPAA settlement, the Department of Health and Human Services announced.
Alleged HIPAA Violations
Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS.
A hospital notified ACH in February 2014 that patient data was posted to First Choice’s website, including names, birth dates and social security numbers. Initially, ACH identified 400 patients who were affected by the breach, but after further investigation, it concluded that an additional 8,855 patients could have been impacted, according to HHS.
In its investigation, the HHS Office for Civil Rights (OCR) found that ACH never entered a business associate agreement with the person representing First Choice, as required under HIPAA, and did not adopt a policy requiring such agreements until 2014.
“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” Roger Servino, director of the OCR said in the announcement.
ACH was formed in 2005 but did not adopt any HIPAA-compliant security policies or procedures before 2014, according to HHS. It also has not conducted a risk assessment, as required under the privacy law.
Under the corrective action plan, ACH will complete a risk assessment, mandate business associate agreements and implement “comprehensive” HIPAA-compliant policies.
Business Associate Agreements
Generally speaking, a “business associate” is someone, other than an employee of a covered entity, who performs functions for the covered entity that involves access to protected health information. HIPAA generally requires that covered entities (and business associates) enter into contracts with their business associates to ensure that the business associates will properly safeguard protected health information.
According to HHS, among other things, HIPAA requires business associate agreements to address the following.
- Describe the permitted and required PHI uses by the business associate.
- Provide that the business associate will not use or further disclose PHI other than as permitted or required by the contract or as required by law.
- Require the business associate to use appropriate safeguards to prevent inappropriate PHI use or disclosure.
If your organization deals in protected health information, it is critical that you Identify all entities that are considered your business associates and make sure that you have a HIPAA compliant business associate agreement with them. For more information about business associate agreements, click here.