Hospitalist practice gets $500K fine for HIPAA violations

Advanced Care Hospitalists will pay a $500,000 fine to the HHS Office for Civil Rights and enter into a corrective action plan in response to HIPAA violations.

The practice, serving hospitals and nursing homes in west central Florida, was hit with the penalties after engaging a billing specialist in November 2011 but never entering into a business associate agreement with the biller until April 2014.

OCR has been focusing on the need for providers to enter into business associate agreements and has made clear to the industry that such agreements must be executed.

In this instance, the individual represented himself to Advanced Care Hospitalists as a billing specialist with a company named Doctors First Choice Billings and provided billing services using First Choice’s name and website without any knowledge or permission of First Choice’s owner.

Also See: How six key strategies can mitigate business associate risk

In February 2014, a local hospital notified Advanced Care Hospitalists that patient information from the hospitalist group, including patient names, dates of birth and Social Security numbers, were viewable on the First Choice website.

Advanced Care Hospitalists identified at least 400 affected patients and asked First Choice to remove the protected health information from its Web site. The practice then filed a breach notification with OCR, noting that 400 individuals were affected, but subsequent additional investigation disclosed that another 8,855 individuals could be affected.

Severino-Roger2-CROP.jpg
Roger Severino

OCR’s investigation determined that Advanced Care Specialists, in operation since 2005, never conducted a risk analysis, never implemented security measures and never adopted any other written HIPAA policies or procedures before 2014—all of which identified by OCR as serious HIPAA violations.

“This case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” says OCR Director Roger Severino.

Now, the practice will undertake an OCR-sanctioned corrective action plan that includes a complete enterprisewide risk analysis and implementation of policies and procedures to become HIPAA compliant.

Advanced Care Hospitalists did not respond to an offer to submit a statement.

For reprint and licensing requests for this article, click here.