Florida physician contractor group to pay $500K to settle HIPAA violations

HIPAA document
Data on more than 9,000 Advanced Care Hospitalist patients was posted online. (Getty/designer491)

A Florida-based contractor physician group will pay $500,000 to settle HIPAA violations after data on more than 9,000 patients was posted online. 

Advanced Care Hospitalists PL, which provides internal medicine doctors to hospitals and nursing facilities in the western part of the state, has also agreed to a corrective action plan as part of the Health Insurance Portability and Accountability Act settlement, the Department of Health and Human Services announced

Between November 2011 and June 2012, ACH worked with an individual who claimed to be a representative of Doctor’s First Choice Billings Inc. for billing services. This person provided services to ACH using First Choice’s website and its branding but operated without knowledge of the Florida-based company’s owner, according to HHS. 

Innovation Awards

Submit your nominations for the FierceHealthcare Innovation Awards

The FierceHealthcare Innovation Awards showcases outstanding innovation that is driving improvements and transforming the industry. Our expert panel of judges will determine which companies demonstrate innovative solutions that have the greatest potential to save money, engage patients, or revolutionize the industry. Deadline for submissions is this Friday, October 18th.

A hospital notified ACH in February 2014 that patient data was posted to First Choice’s website, including names, birth dates and social security numbers. Initially, ACH identified 400 patients who were affected by the breach, but after further investigation, it concluded that an additional 8,855 patients could have been impacted, according to HHS.  

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” Roger Servino, director of the HHS Office for Civil Rights, said in the announcement. 

RELATED: Judge upholds $4.3M HIPAA fine against MD Anderson

In its investigation, OCR found that ACH never entered a business associate agreement with the person representing First Choice, as required under HIPAA, and did not adopt a policy requiring such agreements until 2014. 

ACH was formed in 2005, but did not adopt any HIPAA-compliant security policies or procedures before 2014, according to HHS. It also has not conducted a risk assessment, as required under the privacy law. 

Under the corrective action plan, ACH will complete a risk assessment, mandate business associate agreements and implement “comprehensive” HIPAA-compliant policies, HHS said. 

Suggested Articles

In a letter, 111 physician organizations weighed in on surprise billing, urging Congress not to turn more power over to health insurers.

Even when taking into account increased resources, general and vascular procedures performed in teaching hospitals are better for high-risk patients.

Medicaid enrollment was down by nearly 2% this year and is expected to be flat in 2020, according to a recent survey of states.