The Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced on December 4, 2018 that a hospitalist group (“Group”) that works with hospitals and nursing homes to provide internal medicine physicians has agreed to pay $500,000 and adopt a corrective action plan to settle alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), including the HIPAA Security Rule. The Group has less than 50 providers and services over 20,000 patients.
The alleged violations stem from an arrangement for billing data processing services with an individual claiming to represent a vendor, First Choice Billings, Inc. (“First Choice”). This individual provided billing services while using First Choice’s name and website from November 2011 through June 2012. However, First Choice allegedly did not have any knowledge of this and allegedly did not grant permission to the individual.
In 2014, the Group was notified by a hospital that patient information was available on the First Choice website, including social security numbers, names and dates of birth. The Group was able to identify 400 affected individuals initially but, following investigation, increased that number to 8,855 affected individuals. FirstChoice removed the information from the website.
OCR identified several areas where the Group allegedly failed to comply with HIPAA. The Group failed to enter into a business associate agreement with the individual providing services. Additionally, the Group did not have any HIPAA policies or procedures in place prior to 2014, it had not implemented any security procedures and it had not conducted a risk analysis even though it had been in operation since 2005.
PRACTICAL TAKEAWAYS
This settlement should remind Covered Entities of the importance of not only having updated HIPAA-compliant policies and procedures in place but complying with those policies. Covered Entities should do the following:
- Ensure those responsible for contracting are trained to identify when a business associate agreement is needed and keep accurate record of all individuals providing services on behalf of the Covered Entity in accordance with HIPAA policies and procedures;
- Ensure liability is allocated to reflect each party’s responsibilities and risks in agreements and that those obligations are sufficiently funded; and
- Perform an enterprise-wide risk analysis and formulate a risk management plan that is updated on a regular basis.
Additionally, Business Associates and Covered Entities should perform information system activity reviews regularly, which should include reviewing their websites to ensure PHI is being accessed and secured properly.
For further information about privacy and security compliance and data breach response, please contact:
- Charise Frazier at (317) 977-1406 or cfrazier@wp.hallrender.com;
- Patricia Connelly at (317) 429-3654 or pconnelly@wp.hallrender.com; or
- Your regular Hall Render attorney.
