Not Having One Just Cost A Florida Physician’s Group $500,000!
The requirements of the Health Insurance Portability and Accountability Act of 1996, as amended by the Health Information Technology for Economic and Clinical Health Act of 2009 (collectively “HIPAA”) apply to all “Covered Entities”, which include healthcare providers, health plans and healthcare clearinghouses. One such Covered Entity, Advanced Care Hospitalists PL (“ACH”) recently entered into a $500,000 no-fault settlement and two year corrective action plan (CAP) with the Office for Civil Rights of the U.S. Department of Health and Human Services (“OCR”) to settle potential violations of HIPAA for failure to have a “Business Associate Agreement” in place.
ACH provides contracted physicians to hospitals and nursing homes in west central Florida and serves more than 20,000 patients annually. It obtained billing data processing services between November of 2011 and June of 2012 from an individual who purported to represent a third-party billing company (“First Choice”). ACH did not enter into a Business Associate Agreement with First Choice or the individual who provided medical billing services.
On February 11, 2014, a local hospital notified ACH that Protected Health Information (“PHI”) was viewable on the First Choice website, including patient names, dates of birth and social security numbers. ACH was able to immediately identify at least 400 affected individuals and immediately asked First Choice to remove the PHI from its website. ACH filed a breach notification report with OCR on April 11, 2014, to this effect.
OCR’s investigation revealed that ACH never entered into a Business Associate Agreement with ACH as required by HIPAA and failed to adopt any policy requiring Business Associate Agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a Security Rule Risk Assessment or implemented any security measures. In addition, OCR found that ACH had no written HIPAA Privacy or Security Manuals containing policies and procedures before 2014. The HIPAA Rules require Covered Entities to perform an accurate and thorough assessment of the potential risks, threats, and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic PHI.
As a reminder, HIPAA requires a Covered Entity to obtain satisfactory assurances from its Business Associate that it will safeguard whatever PHI and electronic PHI (ePHI) the Business Associate creates, receives, maintains, or transmits on behalf of the Covered Entity. HIPAA also requires covered such entities to implement policies and procedures that comply with HIPAA including the requirement to conduct accurate and thorough assessments of the potential risks and vulnerabilities to its ePHI. In this situation, OCR determined that ACH did not obtain such assurances from its Business Associates or implement any appropriate risk analyses and policies and procedures, and as a result violated the HIPAA Privacy and Security Rules.
Here are some questions you should ask yourself now, in light of ACH’s misfortune:
- Have we adopted procedures to investigate all vendors regularly (new and current) who need to access, use, or disclose PHI or ePHI to determine if they are complying with the HIPAA Privacy and Security Rule?
- Have we adopted a written policy requiring HIPAA Business Associate Agreements with all vendors handling PH or ePHI?
- Do we have in writing satisfactory assurances from our Business Associate, in the form of a Business Associate Agreement, that they will safeguard whatever PHI and ePHI they create, receive, store or transmit on our behalf?
- Have we conducted a HIPAA Security Rule Risk Assessment in the past 12 months?
- When was the last time we reviewed our HIPAA Compliance Program with our staff?
Don’t be next on the ever-increasing list of Covered Entities penalized for HIPAA violations. At Woods Rogers and Healthcare Compliance Resources, we address questions about HIPAA Business Associate Agreements and other HIPAA compliance issues. We can help you develop and implement a robust HIPAA Compliance Program that includes:
- Preparation and proper use of Business Associate Agreements;
- Complete, enterprise-wide Security Rule Risk Assessments;
- Comprehensive policies and procedures to comply with the HIPAA Privacy and Security Rules; and
- Effective HIPAA training for all employees.
Contact our Health Law team of attorneys, along with Steve Burt of Healthcare Compliance Resources, to discuss your questions about HIPAA risk management and Business Associate Agreements and other HIPAA risks.