The HHS’ Office for Civil Rights (OCR) has investigated a case of impermissible disclosure of PHI by a HIPAA-covered entity’s business associate and discovered serious HIPAA non-compliance issues, which warranted a financial penalty.
Advanced Care Hospitalists (ACH) is a contractor physicians’ group based in Lakeland, FL that provides internal medicine doctors to hospitals and nursing homes located in West Florida. ACH, as a HIPAA-covered entity, needs to adhere to the HIPAA Security, Privacy and Breach Notification Rules.
From November 2011 to June 2012, ACH obtained billing services from an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a medical billing services provider in Florida. That person used the name of First Choice and its website; however, the owner of First Choice stated that the company was unaware of the individuals and had not authorized the use of its website or company name.
ACH received a report from a local hospital on February 11, 2014 stating some of its patient data – such as names, dates of birth, Social Security numbers, and clinical data – were accessible on the website of First Choice. The following day, the website was closed down.
ACH submitted a data breach report to OCR in April 2014 regarding the impermissible disclosure of the protected health information (PHI) of patients. In the breach report, ACH stated that 400 patients had been affected by the data breach, but later corrected the breach report after discovering the PHI of another 8,855 patients had also been impermissibly disclosed.
OCR looked into the breach and found that even though ACH has been in operation since 2005, the company did not follow HIPAA Privacy, Security, and Breach Notification Rules and had not implemented HIPAA policies and procedures prior to April 1, 2014. ACH was also found to have neglected to implement proper security controls and had not performed a risk analysis prior to March 4, 2014.
Although PHI was shared with the person offering medical billing services, ACH did not sign any business associate agreement with that person. Without the BAA, ACH impermissibly disclosed to a third party the PHI of 9,255 patients for billing processing services, which were later exposed online.
Besides paying the $500,000 penalty, ACH agreed to a corrective action plan to resolve all HIPAA compliance violations. OCR Director Roger Severino said that this case is particularly concerning because the names and social security numbers of many thousands of patients were exposed online as a direct result of the failure to follow basic HIPAA security requirements.
This is the ninth OCR HIPAA compliance fine of 2018. To date, $25,572,000 in fines have been paid as a direct result of HIPAA compliance failures.