Missing BAA Results in $500,000 HIPAA Settlement
On December 4, 2018, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) announced that Advanced Care Hospitalists (ACH) agreed to pay $500,000 to settle alleged HIPAA violations arising out of ACH not having a business associate agreement (BAA) in place with a billing services contractor.
According to the OCR’s press release announcing the settlement, ACH provides contracted internal medicine physicians to hospitals and nursing homes in Florida.
For a seven-month period in 2011 and 2012, ACH engaged the services of an individual that claimed to be part of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner.
In 2014, a Florida hospital notified ACH that patient protected health information (PHI) was viewable on the First Choice website. ACH asked First Choice to remove the PHI from its website and ACH filed a breach notification report with OCR. Approximately 9,000 individuals’ PHI was improperly exposed.
The OCR investigation noted that ACH never entered into a BAA with the individual providing medical billing services to ACH as is required by HIPAA. Moreover, ACH did not have policies in place at the time relating to business associates (ACH had been in operation since 2005). In addition, the OCR concluded that prior to 2014 ACH had not conducted a risk analysis or implemented any written HIPAA privacy, security or breach notification policies or procedures.
In addition to the $500,000 payment, ACH agreed to enter into a two-year corrective action plan (CAP) that requires ACH to:
- Provide an annual accounting of its business associates;
- Provide copies of its executed BAAs;
- Perform an enterprise-wide analysis of its security risks and vulnerabilities;
- Revise its written policies and procedures to comply with the HIPAA privacy, security and breach notification rules;
- Distribute the policies and procedures to members of its workforce and provide workforce training; and
- Prepare an implementation report and annual reports with respect to its compliance with the CAP.
In the health care delivery system, it is common for covered entities to engage business associates. A signed BAA between the covered entity and business associate is required for HIPAA compliance as are policies with respect to the engagement of a business associate by a covered entity.
Saul Ewing Arnstein & Lehr’s health law practitioners regularly assist HIPAA-covered entities and business associates prepare and negotiate BAAs, investigate and respond to actual and potential HIPAA breaches, and address all aspects of HIPAA compliance. For more information, contact the authors or the attorney at the Firm with whom you are regularly in contact