Lack of Business Associate Agreement Triggers HIPAA FineCompany That Provides Contracted Physicians Faces $500,000 Penalty
Federal regulators have slapped a company that provides contracted physicians to hospitals and nursing homes with a $500,000 HIPAA settlement in a breach case involving the lack of a business associate agreement with an individual providing billing services and the exposure of patient data on a website.
In a statement Tuesday, the Department of Health and Human Service' Office for Civil Rights said it signed a resolution agreement - including the financial settlement and a corrective action plan - with Advanced Care Hospitalists.
ACH, based in Plant City, Florida, provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. OCR says ACH physicians provide services to more than 20,000 patients annually.
Between November 2011 and June 2012, ACH engaged the services of an individual who represented himself to be a representative of a Florida-based company, Doctor's First Choice Billings Inc., OCR says. The individual provided medical billing services to ACH using First Choice's name and website, but allegedly without any knowledge or permission of First Choice's owner, according to OCR.
On Feb. 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including names, dates of birth and Social Security numbers.
"In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected," OCR says.
Lack of BAA
OCR's investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA, and failed to adopt any policy requiring business associate agreements until April 2014.
"Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014," OCR says.
"This case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA," says OCR Director Roger Severino.
In addition to the monetary settlement, ACH has agreed to implement a corrective action plan that includes the adoption of business associate agreements, completion of an enterprisewide risk analysis and the creation of comprehensive policies and procedures to comply with the HIPAA rules, OCR says.
ACH did not immediately respond to an Information Security Media Group request for comment on the settlement.
OCR's resolution agreement with ACH indicates that the company will implement a number of corrective actions, including:
- Providing OCR an accounting of all ACH business associates, including names, copies of the BAAs and a description of the services provided;
- Conducting annual comprehensive, enterprise risk analyses and providing them to HHS for review;
- Reviewing and revising written policies and procedures to comply with the HIPAA security, privacy and breach notification rules, subject to HHS review and approval;
- Distributing those written policies and procedures to ACH's workforce, and providing the workforce with related training.
Other Enforcement Actions
The settlement with ACH is OCR's second settlement in recent weeks, and the agency's seventh HIPAA enforcement action so far this year.
On Nov. 16, OCR announced it had signed a $125,000 settlement with Allergy Associates of Hartford a three-doctor practice in Connecticut, in a breach case involving improper disclosure of patient information to the media.
In October, OCR signed a record $16 million settlement with Anthem in the wake of a cyberattack on the health insurer revealed in 2015 that resulted in a massive health data breach impacting nearly 79 million individuals (see: Anthem Mega Breach: Record $16 Million Settlement.)
OCR's financial settlements so far this year total more than $25.5 million.
Lessons to Learn
So, what lessons are emerging for other covered entities and business associates from this latest OCR enforcement action?
This investigation underscores HIPAA's "golden rule," says attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek. "Any organization creating or maintaining sensitive personal information should perform an enterprisewide risk assessment to identify the threats and vulnerabilities to the confidentiality, integrity and availability to the data," he says.
"Use the risk assessment to develop a plan of action that prioritizes those areas that pose the highest risk of compromise to the information system. Make it a management imperative in your organization to follow through on investment and attention to information security."
Privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes: "While $500,000 is well less than the average settlement, it is very large for a covered entity with less than 50 employees."
OCR may have pursued this case more aggressively than most, Greene says, "because of a perceived complete lack of vendor due diligence and because the result was particularly egregious, with patient Social Security numbers publicly available on the Internet."
Although HIPAA does not include a specific vendor due diligence requirement beyond obtaining a business associate agreement, a reasonable amount of vendor screening is essential to ensure that patient and plan member data is properly safeguarded downstream, Greene adds. "Otherwise, a breach by the vendor may bring the covered entity into the government's sights."