Next time, check references.
A Florida hospital contractor was fined $500,000 after its billing group illegally disclosed the medical records of almost 10,000 patients.
What’s more, the biller turned out to be a fake!
Ignoring Business Associate Agreements Puts Everyone At Risk
Advanced Care Hospitalists (ACH) had hired an individual who identified himself as a representative of Florida billing contractor Doctor’s First Choice, Inc.
Upon investigation, however, the owner of First Choice told the Office for Civil Rights (OCR) that he had no affiliation with the representative. Apparently, the “representative” had lied about his connection to First Choice, but managed to gain access to First Choice’s billing software, using it to service his unwitting client.
The Office for Civil Rights is the government agency that enforces HIPAA compliance and investigates violation complaints.
No Business Associate Agreement = No Business
Upon further investigation, OCR learned that ACH had never entered into a Business Associate Agreement with the biller, in violation of HIPAA rules.
Breaches usually reveal more costly violations
In fact, since ACH first opened in 2005, OCR discovered the company had never even conducted a risk analysis; never implemented security procedures; and could not demonstrate compliance with any HIPAA policies during the company’s entire nine-year history.
A Business Associate Agreement could have prevented the fraud
The fake contractor worked for ACH for seven months in 2011 and 2012. Had they required a Business Associate Agreement, the fraudsters likely would have moved on to another, softer target.
In addition to paying the fine, ACH must undertake a robust corrective action plan and adopt Business Associate Agreements, complete company-wide risk analysis/management, and embrace comprehensive policies and procedures to comply with HIPAA rules.
Are your Business Associate Agreements in place?
You can read the case details and see the hoops ACH has to jump through to meet OCR settlement terms.
How would your company fare if the OCR came knocking? If you aren’t absolutely sure your business is protected against a HIPAA breach, we’re here to help.