A group providing hospitalist physicians on contract has learned the hard way that sharing PHI with vendors is a no-no unless the vendor has signed a business associate agreement. The group, Advanced Care Hospitalists, which serves west-central Florida, has been fined $500,000 for this oversight along with other derelictions of its HIPAA duties.
Between November 2011 and June 2012, ACH farmed out medical billing to an individual identifying himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (In an unusual twist, this individual apparently signed the ACH deal without knowledge or permission of First Choice’s owner, which raises other questions beyond the scope of this article.)
Later, in February 2014, a hospital let ACH know that patient information was viewable on the First Choice website, including name, date of birth and social security number. Of course, ACH’s first move was to ask First Choice to take the data off of the website. Then, it surveyed the damage done.
After assessing the situation, ACH notified the HHS Office for Civil Rights about the breach. The group eventually concluded that more than 9,000 patients could have been affected. In response, OCR conducted an investigation into the breach — and reviewers weren’t exactly happy with what they found.
The OCR concluded that ACH never entered into a business associate agreement with the individual, which HIPAA requires.
What’s more, it found that despite being in business since 2005, ACH didn’t have a policy requiring that it sign business associate agreements with relevant vendors until April 2014 (another HIPAA foul) and had neither conducted a risk analysis nor implemented security measures or other written HIPAA policies before 2014 (additional, major HIPAA fouls).
Given the extent to which its HIPAA compliance, well, didn’t exist, OCR is asking for more than the $500K. ACH has agreed to a corrective action plan including the adoption of business associate agreements, a thorough risk analysis cutting across its entire business and the development of comprehensive policies and procedures needed to comply with HIPAA rules.
Perhaps if ACH had demanded that the unnamed medical billing contractor sign a business associate agreement, it might have avoided the patient data breach, or perhaps not. If nothing else, though, the hospitalist group might have stood a better chance of knowing with whom it had actually contracted with, which certainly wouldn’t have hurt.