Florida Hospitalist Group Pays $500,000 to Settle Potential HIPAA Violations
On December 4, 2018, Advance Care Hospitalists (ACH) agreed to pay $500,000. The Office for Civil Rights (OCR) announced that ACH enter into a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA). ACH is a hospitalist group in Central Florida that provides contracted internal medicine physicians to hospitals and nursing homes.
Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company names Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.
On February 11, 2014, a local hospital notified ACH that patient information was viewable on the website of ACH’s billing company, including name, date of birth and social security numbers. ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website. ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected.
OCR emphasized that its investigation revealed that ACH never entered into a Business Associate with the individual providing medical billing services to ACH, as required by HIPAA and ACH failed to adopt policy requiring Business Associate Agreements until April 2014. In addition, OCR noted that although ACH has been in business since 2005, ACH has not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.
A copy of the OCR press release is available at www.hhs.gov/news.