[00:00.0 - 00:08.3] Advanced Care Hospitalist, PL, ACH, has agreed to pay $500,000 to the Office for Civil Rights, OCR, [00:08.3 - 00:13.8] of the U.S. Department of Health and Human Services, by HHS, and to adopt a substantial [00:13.8 - 00:18.7] corrective action plan to settle potential violations of the Health Insurance Portability [00:18.7 - 00:24.8] and Accountability Act, HIPAA, privacy and security rules. ACH provides contracted [00:24.8 - 00:29.6] internal medicine physicians to hospitals and nursing homes in West Central Florida.
[00:29.6 - 00:35.4] ACH provided services to more than 20,000 patients annually and employed between 39 [00:35.4 - 00:41.7] and 46 individuals during the relevant time frame. Between November 2011 and June 2012, [00:41.7 - 00:47.0] ACH engaged the services of an individual that represented himself to be a representative of [00:47.0 - 00:53.5] a Florida-based company named Doctors First Choice Billings, Inc. First Choice.
The individual [00:53.5 - 00:58.6] provided medical billing services to ACH using First Choice's name and website, [00:58.6 - 01:02.3] but allegedly without any knowledge or permission of First Choice's owner. [01:03.0 - 01:09.3] On February 11, 2014, a local hospital notified ACH that patient information was viewable on the [01:09.3 - 01:15.6] First Choice website, including name, date of birth, and social security number. In response, [01:15.6 - 01:21.2] ACH was able to identify at least 400 affected individuals and asked First Choice to remove [01:21.2 - 01:27.4] the protected health information from its website.
ACH filed a breach notification report with OCR [01:27.4 - 01:34.6] on April 11, 2014, stating that 400 individuals were affected. However, after further investigation, [01:35.3 - 01:41.7] ACH filed a supplemental breach report stating that an additional 8,055 patients could have [01:41.7 - 01:47.9] been affected. OCR's investigation revealed that ACH never entered into a business associate [01:47.9 - 01:54.4] agreement with the individual providing medical billing services to ACH.
As required by HIPAA [01:54.4 - 02:00.2] and failed to adopt any policy requiring business associate agreements until April 2014. [02:01.0 - 02:07.4] Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented [02:07.4 - 02:13.8] security measures or any other written HIPAA policies or procedures before 2014. The HIPAA [02:13.8 - 02:19.4] rules require entities to perform an accurate and thorough assessment of the potential risks [02:19.4 - 02:25.0] and vulnerabilities to the confidentiality, integrity, and availability of an entity's [02:25.0 - 02:30.6] electronic protected health information.
This case is especially troubling because the practice [02:30.6 - 02:35.3] allowed the names and social security numbers of thousands of its patients to be exposed on [02:35.3 - 02:39.6] the internet after it failed to follow basic security requirements under HIPAA, [02:39.6 - 02:45.9] said OCR Director Roger Severino. In addition to the monetary settlement, ACH will undertake a [02:45.9 - 02:51.1] robust corrective action plan that includes the adoption of business associate agreements, [02:51.1 - 02:56.8] a complete enterprise-wide risk analysis, and comprehensive policies and procedures [02:56.8 - 03:03.0] to comply with the HIPAA rules. Source, HHSGov, provided by Access Cloud Sync, [03:03.6 - 03:06.5] HIPAA-compliant file-sharing solution.
