A recent $500,000 Florida HIPAA fine is just another example of the growing trend of HIPAA violations cropping up across the country, all stemming from the lack of properly executed business associate agreements.
Advanced Care Hospitalists PL (ACH) has agreed to pay a $500,000 HIPAA fine to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) after a HIPAA investigation revealed violations. ACH provides contracted internal medicine physicians to hospitals and nursing homes in west-central Florida. The organization worked with over 20,000 patients and hired approximately 39 to 46 individuals during the time period relevant to the investigation.
ACH sought help from a medical billing company called Doctor’s First Choice Billings from November 2011 through June 2012. A representative of the company provided services to ACH using First Choice’s name and website, yet without any knowledge or permission of First Choice’s owner.
On February 11, 2014, a local hospital notified ACH that their patients’ protected health information (PHI) was publicly accessible on the First Choice website. The viewable information illegally exposed names, dates of birth, and Social Security numbers. After the breach was discovered, ACH requested that First Choice remove the 400 identifiable patients’ information from the website. ACH later filed a breach notification report on April 11, 2014, stating that at least 400 individuals were affected. But, after further investigation, ACH filed another breach report stating that an additional 8,855 patients’ PHI may have been exposed.
OCR’s investigation uncovered that ACH never executed a business associate agreement with the representative providing medical billing services to ACH. A business associate agreement (BAA) is a mandatory requirement as per the HIPAA Omnibus Rule. BAAs must be executed prior to the exchange of any PHI between the entities or organizations in question. BAAs are essential to protecting patients’ privacy, as well as protecting both organizations from liability in event of a data breach caused by the other party.
ACH has been in operation since 2005, but had not performed a risk analysis, enforced security measures, or adopted any written policies or procedures before 2014. The OCR investigation determined that not only did ACH fail to executed a BAA with First Choice, but also neglected basic HIPAA privacy and security requirements outlined in the federal regulation, resulting in this massive Florida HIPAA fine.
OCR Director Roger Severino stated his concern about the incident, saying: “This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA.”
ACH will be required to adopt an effective compliance program that addresses the HIPAA privacy and security standards, in addition to paying the $500,000 Florida HIPAA fine.