Florida physician contractor group to pay $500K to settle HIPAA violations

HIPAA document
Data on more than 9,000 Advanced Care Hospitalist patients was posted online. (Getty/designer491)

A Florida-based contractor physician group will pay $500,000 to settle HIPAA violations after data on more than 9,000 patients was posted online. 

Advanced Care Hospitalists PL, which provides internal medicine doctors to hospitals and nursing facilities in the western part of the state, has also agreed to a corrective action plan as part of the Health Insurance Portability and Accountability Act settlement, the Department of Health and Human Services announced

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS. 

Conference

2019 Drug Pricing and Reimbursement Stakeholder Summit

Given federal and state pricing requirements arising, press releases from industry leading pharma companies, and the new Drug Transparency Act, it is important to stay ahead of news headlines and anticipated requirements in order to hit company profit targets, maintain value to patients and promote strong, multi-beneficial relationships with manufacturers, providers, payers, and all other stakeholders within the pricing landscape. This conference will provide a platform to encourage a dialogue among such stakeholders in the pricing and reimbursement space so that they can receive a current state of the union regarding regulatory changes while providing actionable insights in anticipation of the future.

A hospital notified ACH in February 2014 that patient data was posted to First Choice’s website, including names, birth dates and social security numbers. Initially, ACH identified 400 patients who were affected by the breach, but after further investigation, it concluded that an additional 8,855 patients could have been impacted, according to HHS.  

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” Roger Servino, director of the HHS Office for Civil Rights, said in the announcement. 

RELATED: Judge upholds $4.3M HIPAA fine against MD Anderson

In its investigation, OCR found that ACH never entered a business associate agreement with the person representing First Choice, as required under HIPAA, and did not adopt a policy requiring such agreements until 2014. 

ACH was formed in 2005, but did not adopt any HIPAA-compliant security policies or procedures before 2014, according to HHS. It also has not conducted a risk assessment, as required under the privacy law. 

Under the corrective action plan, ACH will complete a risk assessment, mandate business associate agreements and implement “comprehensive” HIPAA-compliant policies, HHS said. 

Suggested Articles

Attorneys general seeking to defend the ACA argue that their opponents—including the DOJ—have poor legal standing to challenge the law.

What are some of the biggest challenges for independent medical practices?

Researchers at two universities plan to develop an autonomous trauma care system that uses robotics and artificial intelligence to treat soldiers.