The HHS’ Office for Civil Rights (OCR) investigated an incident of impermissible PHI disclosure by a business associate of a HIPAA-covered entity and found major HIPAA violation issues, which called for financial charges.
Advanced Care Hospitalists (ACH) is a contractor doctors’ group located in Lakeland, FL that deploys internal medicine physicians to hospitals and nursing homes established in West Florida. ACH is covered by the HIPAA rules and should follow the HIPAA Privacy, Security and Breach Notification Rules.
Since November 2011 until June 2012, ACH acquired billing services from a person who professed to be an agent of Doctor’s First Choice billings Inc., which is a Florida medical billing services provider. That person made use of First Choice’s name and website; but, the owner of First Choice reported that the company does not know the person and did not give him authorization to use its website or company name.
A local hospital sent a report to ACH on February 11, 2014 saying that some of its patient information – which included names, Social Security numbers, birth dates and clinical information – were available to the public on the First Choice website. The next day, the website was no longer accessible.
ACH sent to OCR a data breach report in April 2014 concerning the impermissible protected health information (PHI) disclosure. In the report, ACH claimed that the breach affected 400 patients, but later changed the reported number after finding out about the impermissible PHI disclosure of another 8,855 patients.
OCR investigated the data breach and noticed that ever since ACH operated in 2005, the company failed to observe HIPAA Privacy, Security, and Breach Notification Rules and did not implement HIPAA policies and procedures before April 1, 2014. OCR also discovered that ACH failed to implement appropriate security regulations and hadn’t conducted a risk analysis before March 4, 2014.
Even though PHI was disclosed to the person providing medical billing services, ACH did not enter into any business associate agreement (BAA) with that individual. Without the agreement, ACH impermissibly disclosed 9,255 patients’ PHI for billing processing services, which the third party later exposed online.
Aside from paying the $500,000 penalty, ACH consented to implement a corrective action plan to fix all violations of HIPAA compliance. This is considered a serious case because the names and Social Security numbers of many patients were compromised and appeared online as a direct consequence of the failure to comply with basic HIPAA security prerequisites.
This is the ninth HIPAA compliance penalty that OCR issued this 2018. Thus far, OCR has received $25,572,000 in fines to settle HIPAA compliance violations.