On December 4, 2018, the Department of Health and Human Services Office for Civil Rights (OCR) announced that Advanced Care Hospitalists PL (ACH) had agreed to pay $500,000 to OCR and adopt a corrective action plan to settle possible violations of the HIPAA Privacy and Security Rules.
ACH provides internal medicine physicians to hospitals and nursing homes. Its physicians serve more than 20,000 patients annually. Between November 2011 and June 2012, ACH obtained billing data processing services from an individual who claimed to represent a third-party billing company named Doctor’s First Choice Billings, Inc. (First Choice). Without knowledge or permission of First Choice, the individual provided medical billing services to ACH using First Choice’s name and website. ACH never entered into a business associate agreement with First Choice or the individual allegedly representing First Choice.
A local hospital notified ACH on February 11,2014, that patient information was viewable on the First Choice website, including but not limited to social security numbers and clinical information. The website was shut down and removed from internet access on February 12, 2014. ACH filed a breach notification report to OCR on April 11, 2014, and a supplemental breach report thereafter finding that over 9,000 patients could have been affected.
OCR’s investigation determined that not only did ACH fail to enter into a business associate agreement before disclosing PHI to the individual as required by HIPAA, ACH also failed to have policies in place requiring business associate agreements for sharing of PHI until April 2014. Furthermore, OCR noted that although ACH had been operating since 2005, it failed to conduct a risk analysis as provided by the HIPAA Security Rule until March 4, 2014.
ACH’s corrective action plan in part requires ACH to annually submit an accounting of ACH’s business associates and copies of the business associate agreements that it maintains, conduct a risk analysis, develop a risk management plan and review and revise its policies and procedures to comply with the HIPAA Privacy, Security and Breach Notification Rules.
OCR’s press release about this settlement can be found here.