Lack of BAA costs Florida Contractor Physicians’ Group $500k
Advanced Care Hospitalists (ACH), a Florida-based healthcare provider, faces a $500,000 fine from the Department of Health and Human Services Office for Civil Rights (HSS-OCR) for compliance failures following disclosure of protected health information (PHI) to an individual later found to be using a false identity. This was the second OCR settlement to be reached in the same month following Allergy Associates’ $125,000 penalty for its “reckless” violation of HIPAA law.
According to officials, the individual had been providing ACH with medical billing services, claiming to be part of a third party billing service. The individual serviced ACH between November 2011 and June 2012, fraudulently using the 3rd party’s name and website, without the knowledge or permission of the company’s owner.
In 2014, a local hospital made contact with ACH informing them that PHI – including names, dates of birth and Social Security numbers – was visible on the biller’s website. The website was removed from the Internet the next day, however, the PHI of up to 9,255 ACH patients had already been potentially exposed.
Breach of HIPAA
All entities covered by HIPAA are required to enter a business associate agreement (BAA) with any third party with whom they share PHI—see 45 C.F.R. §164.308(b). However, investigations launched by OCR revealed that ACH never implemented a BAA with the individual. A big mistake.
HIPAA also requires all covered entities to perform rigorous, routine risk assessments however, while ACH was founded in 2005, the company failed to complete any form of risk analysis or any written HIPAA policies or procedures until 2014, according to the OCR
What’s particularly concerning about the ACH case is that a failure to follow basic HIPAA security requirements potentially compromised the PHI of thousands of patients. It also cost the organization a significant amount of money, not to mention damage to reputation.
Corrective Actions
In addition to the financial settlement of $500,000, ACH has also agreed to meet the following requirements:
- To incorporate a thorough corrective action plan, including the implementation of business associate agreements and a full risk analysis across the entire ACH operation.
- To implement HIPAA-compliant policies and procedures throughout the company.
- To maintain a complete inventory of all electronic devices, data systems, and medical equipment that handle or store ePHI.
All findings will then be sent to officials at the OCR for approval.
While not part of the sanctions enforced by the OCR, it would be prudent for ACH to also reassess their staff training efforts and employees’ attitude towards company security procedures.
This case was the ninth major OCR HIPAA compliance penalty levied in 2018, costing healthcare organizations over $25.5 million in fines. This demonstrates that ACH is not alone in its vulnerability and for all the anti-malware and firewall systems that are in place, when staff lack sufficient training on how best to protect both themselves and their organization online, healthcare entities will remain susceptible to malicious cyberattacks.
A final word about Business Associate Agreements
Although the implementing regulations for HIPAA (2009) and the HITECH Act (2013) have been in place for years—the OCR is still seeing numerous examples of healthcare organizations exchanging ePHI with business associates without a signed agreement (BAA), which indicates a real need for education in this regard.
Remember, if a provider or covered entity exchanges ePHI with a third party, that 3rd party becomes a business associate regardless of whether or not there is a signed agreement. The rule is—if an organization—creates, maintains, receives or transmits ePHI, on a more than temporary basis, they will need to have a BAA with the ‘covered entity’ that is providing the ePHI. And lack of a signed agreement with a Business Associate is a HIPAA violation that will be taken seriously by the regulator, as too many have learned the hard way.
Protecting Patient Privacy & Security with Cloud Fax
For organizations that intend to use cloud fax to replace fax machines – which the vast majority will – HIPAA security should be the number one consideration. A HIPAA-secure fax solution that is built for healthcare should meet every requirement under HIPAA’s rules to ensure that documents are kept secure at all times. A HIPAA secure fax solution should come equipped with the following privacy and security standards:
- Encryption: All documents should be protected with strong encryption while in transit and at rest.
- Authentication: Strong passwords with two-factor (Password, PIN) authentication, customizable role-based permissions, IP address restrictions and automatic logoff during inactivity.
- Physical security: Servers, storage and databases housed in secure controlled-access facilities.
- Safeguards: Administrative, technical and physical safeguards, including execution of Business Associate Agreements (BAA) to support an organization’s HIPAA compliance.