Missing BAA Results in $500,000 HIPAA Settlement

Bruce Armon
Saul Ewing LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Saul Ewing Arnstein & Lehr LLP

On December 4, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that Advanced Care Hospitalists (ACH) agreed to pay $500,000 to settle alleged HIPAA violations arising out of ACH not having a business associate agreement (BAA) in place with a billing services contractor.

​According to the OCR’s press release announcing the settlement, ACH provides contracted internal medicine physicians to hospitals and nursing homes in Florida.

For a seven-month period in 2011 and 2012, ACH engaged the services of an individual that claimed to be part of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.

In 2014, a Florida hospital notified ACH that patient protected health information (PHI) was viewable on the First Choice website. ACH asked First Choice to remove the PHI from its website and ACH filed a breach notification report with OCR. Approximately 9,000 individuals’ PHI was improperly exposed.

The OCR investigation noted that ACH never entered into a BAA with the individual providing medical billing services to ACH as is required by HIPAA. Moreover, ACH did not have policies in place at the time relating to business associates (ACH had been in operation since 2005). In addition, the OCR concluded that prior to 2014 ACH had not conducted a risk analysis or implemented any written HIPAA privacy, security or breach notification policies or procedures.

In addition to the $500,000 payment, ACH agreed to enter into a two-year corrective action plan (CAP) that requires ACH to:

  • Provide an annual accounting of its business associates;
  • Provide copies of its executed BAAs;
  • Perform an enterprise-wide analysis of its security risks and vulnerabilities;
  • Revise its written policies and procedures to comply with the HIPAA privacy, security and breach notification rules;
  • Distribute the policies and procedures to members of its workforce and provide workforce training; and
  • Prepare an implementation report and annual reports with respect to its compliance with the CAP.

In the health care delivery system, it is common for covered entities to engage business associates. A signed BAA between the covered entity and business associate is required for HIPAA compliance as are policies with respect to the engagement of a business associate by a covered entity.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Saul Ewing LLP | Attorney Advertising

Written by:

Saul Ewing LLP
Saul Ewing LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Saul Ewing LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide