An HHS’ Office for Civil Rights (OCR) inquiry into an impermissible revelation of PHI by a business associate of a HIPAA-covered entity revealed grave HIPAA compliance failures.
Advanced Care Hospitalists (ACH) is a Lakeland, FL-based contractor doctors’ group that supplies internal medicine doctors to nursing homes and hospitals in West Florida. ACH falls under the description of a HIPAA-covered unit and is required to abide by the HIPAA Secrecy, Safety, and Breach Notification Laws. ACH serves roughly 20,000 patients a year and hired between 39 and 46 staff members per year during the time frame under inquiry.
Between November 2011 and June 2012, ACH hired the services of a person who declared to be a representative of Doctor’s First Choice billings Inc., a Florida-based supplier of medical billing facilities. That person used First Choice’s company name and website, but as per the owner of First Choice, those facilities were provided without the knowledge or consent of First Choice.
A local hospital informed ACH on February 11, 2014 that some patient information – including names, Social Security numbers, birth dates, and some clinical information – was available on the First Choice website. The website was closed down the next day.
In April 2014, ACH submitted a breach report to OCR concerning the impermissible revelation of patients’ protected health information (PHI). Its breach report specified the PHI of 400 patients had been impermissibly divulged, but later altered the breach report after it was found a further 8,855 patients’ PHI had also been impermissibly divulged.
OCR probed the breach and found that in spite of having been in operation since 2005, ACH didn’t implement any HIPAA Secrecy, Safety, and Breach Notification Law policies and procedures before April 1, 2014, and had failed to implement proper safety measures. ACH also failed to carry out a risk analysis until March 4, 2014.
Even though PHI had been divulged to the person supplying medical billing facilities, ACH failed to enter into a business associate agreement with that person. As a consequence of the lack of a BAA, ACH impermissibly revealed the PHI of 9,255 patients to a third party for billing processing facilities – PHI that was then shown online.
In addition to paying the $500,000 penalty, ACH has agreed to implement a robust remedial action plan to remedy all HIPAA compliance failures.
“This case is particularly worrying because the practice permitted the names and social security numbers of thousands of its patients to be displayed on the Internet after it failed to follow basic safety prerequisites under HIPAA,” said OCR Director Roger Severino.
The latest resolution is the ninth OCR HIPAA compliance fine of 2018. $25,572,000 has been paid to OCR in 2018 to settle compliance failures.