[BreachExchange] OCR Fines Florida Physicians Group $500, 000 for HIPAA Failures

[Destry Winant]

https://healthitsecurity.com/news/ocr-fines-florida-physicians-group-500000-for-hipaa-failures

December 04, 2018 - Florida-based Advanced Care Hospitalists was fined
$500,000 by the Office for Civil Rights for multiple HIPAA compliance
failures, including sharing protected health information with an
unknown vendor.

According to officials, ACH contracted with an individual that claimed
to be part of a company called Doctor’s First Choice Billings from
November 2011 and June 2012. They provided ACH medical billing
services using First Choice’s name and website, but without the
permission or knowledge of the First Choice owner.

A local hospital contacted ACH on Feb. 11, 2014, notifying officials
that patient information was viewable on the First Choice website. The
data included names, dates of birth and Social Security numbers.

According to officials, ACH was able to identify the data of 400
patients and asked First Choice to remove the data from its site. The
website was shut down and removed from internet access the next day.

ACH filed a breach notification with OCR on April 11, 2014 in response
to the breach. But after an investigation, ACH added another 8,855 to
the number of patients that may have been affected, bringing the total
to 9,255.

OCR launched its own investigation into ACH to determine what happened
and found ACH never entered into a business associate agreement with
First Choice as required by HIPAA. Further, they failed to adopt a
business associate policy until 2014.

“At no time during this provision of service was a written agreement
in place to meet the requirements [under HIPAA],” according to the
resolution agreement.

To make matters worse, while ACH was founded in 2005, the company
failed to conduct a risk analysis until March 4, 2014. Further, they
never implemented security measures or any other written HIPAA
policies or procedures prior to 2014.

Under HIPAA, covered entities and business associates are required to
perform thorough, routine risk analysis on potential risks and
vulnerabilities.

“This case is especially troubling because the practice allowed the
names and social security numbers of thousands of its patients to be
exposed on the internet after it failed to follow basic security
requirements under HIPAA,” OCR Director Roger Severino said in a
statement.

In addition to the $500,000 fine, ACH must incorporate a thorough
corrective action plan, which will include implementing business
associate agreements and a full enterprise-wide risk analysis.
Further, ACH will need to instate HIPAA-compliant policies and
procedures.

The risk analysis will need to be conducted within 120 days of the
effective date, and it will include an evaluation of the “security
risks and vulnerabilities that incorporates all electronic equipment,
data systems, programs and applications controlled, administered,
owned, or shared by ACH.”

It will also include the systems and data of its affiliated if they
“contain, store, transmit or receive ACH ePHI.”

“As part of this process, ACH shall develop a complete inventory of
all electronic equipment, data systems, and applications that contain
or store ePHI which will then be incorporated in its risk analysis,”
according to the agreement. The analysis will be analyzed by OCR, and
officials will approve or disapprove of the findings.

This is the second OCR settlement in the past month. Allergy
Associates recently settled with OCR for $125,000, over impermissible
disclosure of patient data with a “reckless disregard for the
patient’s privacy rights.”