On Dec. 5, 2018, the Office for Civil Rights (OCR) of the U. S. Department of Health and Human Services (HHS) announced that Advanced Care Hospitalists PL (ACH) had entered into a $500,000 settlement and resolution agreement (RA) resulting from OCR’s investigation of ACH’s breach notification on April 11, 2014, and subsequent supplemental notification. On Feb. 11, 2014, ACH was initially notified by a local hospital that patient demographic and clinical information, including Social Security numbers, were viewable on the website of Doctor’s First Choice Billing Inc. (First Choice). On April 11, 2014, ACH initially notified 400 patients, and after further investigation, notified an additional 8,855 patients.
OCR’s investigation found that ACH had impermissibly disclosed the protected health information (PHI) of 9,255 patients to a third party for billing processing services — without the protections of a business associate agreement from November 2011 to June 2012 — and failed to adopt any policy requiring business associate agreements until April 2014. Additionally, ACH had been in business since 2005, but had not conducted any risk analysis or implemented any Health Insurance Portability and Accountability Act (HIPAA) privacy, security and breach notification policies before 2014. OCR also noted that the engagement was with an individual who purported to be a representative of First Choice and used First Choice’s name and website — allegedly without any knowledge of this arrangement or permission from First Choice.
The RA is effective for two years and requires ACH to comply with a detailed corrective action plan (CAP). The terms and conditions are similar to other CAPs that OCR has imposed on covered entities; however, this document highlights the importance that all covered entities, including physician practices, have HIPAA privacy, security and breach notification policies and procedures in place. It is equally important for a physician practice covered entity to conduct due diligence with its vendors to ensure that the vendors are legitimate businesses that have also implemented relevant HIPAA privacy, security and breach notification policies and procedures. Additionally, a physician practice covered entity should enter into a written agreement for services with its vendor, and require a written, signed business associate agreement when the services require the vendor to receive, create, transmit or maintain the covered entity’s PHI. In this instance, ACH did not have any HIPAA-required policies and procedures in place, leaving to question ACH’s understanding of its regulatory obligations and consequences for noncompliance with the HIPAA rules.
Many physician practice covered entities do not think they can afford the costs to implement a privacy and security program due to their size and revenue. However, the HIPAA rules permit some scalability to maintain compliance based on the size of the physician practice. The ACH settlement and RA highlight that the financial and intrinsic costs associated with a breach of patient information are much higher than the initial time and costs for a physician practice to implement a privacy and security program.
The CAP provides a strict timeline for ACH to develop the HIPAA privacy, security and breach notification policies and procedures, and requires ACH to obtain approval from OCR prior to implementation. More specifically, the CAP requires ACH to:
- Account for all business associates, including the names, description of services, date engaged, and copies of the business associate agreements;
- Conduct and complete an enterprisewide security risk analysis of all electronic equipment, data systems, programs and applications that contain, store, transmit or receive electronic PHI, and then complete an inventory of these assets;
- Develop an organizationwide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis and create a timeline for implementation of the risk mitigation strategies;
- Conduct annual risk analyses and corresponding risk management plans;
- Review and revise its written policies to comply with the HIPAA privacy, security and breach notification rules, and distribute the approved policies and procedures to all ACH workforce members; obtain documentation that the workforce read, understood, and accepted the responsibility to abide by the policies; and periodically review and revise the policies and procedures to comply with changes in operation or compliance, law and HHS guidance;
- Conduct annual training and education for its workforce; review and revise its training materials annually to comply with changes in operation or compliance, law and HHS guidance;
- Investigate and report to OCR any workforce member’s noncompliance with the revised policies and procedures; and
- Provide annual reports to OCR of ACH’s compliance with the CAP.
A copy of the HHS press release and resolution agreement are available at the following links: