Florida Physicians Group Exposed 9,000 Patients’ Data to Web

A December 4 article in Bloomberg Law’s Health Law & Business, “Florida Physicians Group Exposed 9,000 Patients’ Data to Web,” discussed a $500,000 HIPAA settlement entered into by Advanced Care Hospitalists (ACH), a Florida physician group, with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). Rivkin Radler’s Eric Fader was quoted in the article.

ACH had failed to enter into a business associate agreement with a third-party billing company, which inadvertently exposed patient information on its website. ACH also failed to perform a security risk analysis, as HIPAA requires, and to implement HIPAA policies and procedures. Eric pointed out that the OCR has focused on the importance of risk analysis in several recent HIPAA settlements, including a $3.5 million settlement with Fresenius Medical Care North America in February 2018 and a record $16 million settlement with Anthem, Inc. in October 2018.

“Data breaches and hacking incidents can happen to any organization even if it’s in compliance with HIPAA, but any covered entity or business associate that still hasn’t figured out how to comply with these core requirements is at risk of getting nailed to the wall by the OCR if they suffer a breach,” Eric said.

Advanced Care’s settlement can serve as a primer on HIPAA basics for those providers who somehow are still not in compliance with HIPAA, he added.