Florida physician contractor group to pay $500K to settle HIPAA violations

HIPAA document
Data on more than 9,000 Advanced Care Hospitalist patients was posted online. (Getty/designer491)

A Florida-based contractor physician group will pay $500,000 to settle HIPAA violations after data on more than 9,000 patients was posted online. 

Advanced Care Hospitalists PL, which provides internal medicine doctors to hospitals and nursing facilities in the western part of the state, has also agreed to a corrective action plan as part of the Health Insurance Portability and Accountability Act settlement, the Department of Health and Human Services announced

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS. 

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

A hospital notified ACH in February 2014 that patient data was posted to First Choice’s website, including names, birth dates and social security numbers. Initially, ACH identified 400 patients who were affected by the breach, but after further investigation, it concluded that an additional 8,855 patients could have been impacted, according to HHS.  

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” Roger Servino, director of the HHS Office for Civil Rights, said in the announcement. 

RELATED: Judge upholds $4.3M HIPAA fine against MD Anderson

In its investigation, OCR found that ACH never entered a business associate agreement with the person representing First Choice, as required under HIPAA, and did not adopt a policy requiring such agreements until 2014. 

ACH was formed in 2005, but did not adopt any HIPAA-compliant security policies or procedures before 2014, according to HHS. It also has not conducted a risk assessment, as required under the privacy law. 

Under the corrective action plan, ACH will complete a risk assessment, mandate business associate agreements and implement “comprehensive” HIPAA-compliant policies, HHS said.