Last week, the Office for Civil Rights (OCR) announced that it had reached a settlement with a contract physician group based in Florida to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor. The physician group, Advanced Care Hospitalists PL (ACH), agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct.
ACH serves more than 20,000 patients per year by providing contracted internal medicine physicians to hospitals and nursing homes. ACH engaged an unnamed individual to provide medical billing services but did not enter into a business associate agreement (BAA). The individual appeared to work for a Florida billing company called Doctor’s First Choice Billings, Inc. (First Choice), but First Choice allegedly had no knowledge of the individual’s activities. ACH later learned through a local hospital that patient information was viewable on First Choice’s website. ACH initially identified about 400 affected individuals and filed a breach notification report with OCR two months after learning of the alleged breach. However, ACH later learned and reported that 8,855 more patients could have been affected.
OCR conducted an investigation and discovered that ACH had never entered into a BAA with the individual as required by HIPAA and failed to have any policies regarding entering into BAAs with vendors who could have access to PHI. In the settlement agreement, ACH admitted no liability but did adopt a corrective action plan that requires ACH to: (1) provide an accounting of its business associates to OCR and copies of business associate agreements; (2) conduct a system-wide security risk analysis, subject to approval by OCR; and (3) develop and implement a risk management plan, also subject to approval by OCR.
While this settlement is a particularly egregious example of an unvetted vendor gone rogue, it highlights the importance of covered entities carefully examining their vendors who may have access to PHI, implementing policies and procedures requiring BAAs for such vendors, and keeping track of their BAAs through a database or other method.