- Florida-based Advanced Care Hospitalists was fined $500,000 by the Office for Civil Rights for multiple HIPAA compliance failures, including sharing protected health information with an unknown vendor.
According to officials, ACH contracted with an individual that claimed to be part of a company called Doctor’s First Choice Billings from November 2011 and June 2012. They provided ACH medical billing services using First Choice’s name and website, but without the permission or knowledge of the First Choice owner.
A local hospital contacted ACH on Feb. 11, 2014, notifying officials that patient information was viewable on the First Choice website. The data included names, dates of birth and Social Security numbers.
According to officials, ACH was able to identify the data of 400 patients and asked First Choice to remove the data from its site. The website was shut down and removed from internet access the next day.
ACH filed a breach notification with OCR on April 11, 2014 in response to the breach. But after an investigation, ACH added another 8,855 to the number of patients that may have been affected, bringing the total to 9,255.
OCR launched its own investigation into ACH to determine what happened and found ACH never entered into a business associate agreement with First Choice as required by HIPAA. Further, they failed to adopt a business associate policy until 2014.
“At no time during this provision of service was a written agreement in place to meet the requirements [under HIPAA],” according to the resolution agreement.
To make matters worse, while ACH was founded in 2005, the company failed to conduct a risk analysis until March 4, 2014. Further, they never implemented security measures or any other written HIPAA policies or procedures prior to 2014.
Under HIPAA, covered entities and business associates are required to perform thorough, routine risk analysis on potential risks and vulnerabilities.
“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” OCR Director Roger Severino said in a statement.
In addition to the $500,000 fine, ACH must incorporate a thorough corrective action plan, which will include implementing business associate agreements and a full enterprise-wide risk analysis. Further, ACH will need to instate HIPAA-compliant policies and procedures.
The risk analysis will need to be conducted within 120 days of the effective date, and it will include an evaluation of the “security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by ACH.”
It will also include the systems and data of its affiliated if they “contain, store, transmit or receive ACH ePHI.”
“As part of this process, ACH shall develop a complete inventory of all electronic equipment, data systems, and applications that contain or store ePHI which will then be incorporated in its risk analysis,” according to the agreement. The analysis will be analyzed by OCR, and officials will approve or disapprove of the findings.
This is the second OCR settlement in the past month. Allergy Associates recently settled with OCR for $125,000, over impermissible disclosure of patient data with a “reckless disregard for the patient’s privacy rights.”