Overlooked BAA Costly for Florida Group

December 11, 2018 | Margarita Christoforou | Cybersecurity | Electronic Health Records | HIPAA | Hospitals

Advanced Care Hospitalists, PL (ACH), a Florida physician group, has learned that failing to enter into a proper business associate agreement (BAA) with a vendor can be a very costly mistake. As a result of that failure, ACH has paid a penalty of $500,000 to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) and was also required to adopt a substantial corrective action plan in order to settle potential liability under HIPAA, according to an HHS press release.

ACH contracts with hospitals and nursing homes in west-central Florida to provide internal medicine physicians. It employs about 40 individuals and provides services to 20,000 patients annually. From November 2011 to June 2012, ACH used an individual it believed was a representative of Doctor’s First Choice Billings, Inc. (“First Choice”) to provide medical billing services. The individual provided those services to ACH while using the First Choice name and website, but allegedly did so without the knowledge or permission of First Choice. In February 2014, a local hospital informed ACH that patient information, including names, dates of birth and social security numbers, was viewable on First Choice’s website. ACH filed a breach notification report with OCR in April 2014 that initially identified 400 patients as having been affected, but a subsequent breach report found that an additional 8,855 patients may have been affected.

The OCR’s investigation revealed that, despite having been required to do so by HIPAA, ACH never entered into a BAA with the individual who provided the billing services. OCR also discovered that despite being in operation since 2005, ACH did not have a policy requiring BAAs or any other HIPAA policies or procedures prior to 2014. The case of ACH illustrates that BAAs protect not only patients, but providers as well.

Authors
show more

Get legal updates and news delivered to your inbox