Home Health & Hospice Week

Failing to vet a vendor could cost you big.

With so much on your plate, conducting HIPAA risk analysis may seem like a place to cut costs. But heed the cautionary tale of one provider that dropped the ball on its risks — and is now paying the price to the tune of a half million dollars.

Background: The HHS Office for Civil Rights recently reached a $500,000 settlement with Advanced Care Hospitalists, a Florida-based organization that supplies contracted internists to hospitals and nursing homes, for major HIPAA violations. From November 2011 to June 2012, the physicians’ group conducted business with a nefarious individual, claiming to work for Doctor’s First Choice Billings Inc. without the billing company’s knowledge, an OCR release says.

However, according to the OCR, it gets worse. In February of 2014, a local hospital advised ACH that its patients’ personal information (names, birthdays, and Social Security numbers) were available for public display on the First Choice website. Originally, the physicians’ group thought only 400 individuals were impacted, but on further review, it was discovered that an additional 8,855 patients were also exposed, notes the OCR.

After the agency was notified and the feds began their investigation of the breach, details started to emerge about ACH’s risk analysis shortcomings and its lack of a business associate agreement (BAA) with First Choice, the OCR release indicates. “ACH, as required by HIPAA… failed to adopt any policy requiring business associate agreements until April 2014,” the OCR says. In addition, “although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.”

Takeaway: “While this settlement is a particularly egregious example of an unvetted vendor gone rogue, it highlights the importance of covered entities carefully examining their vendors who may have access to PHI, implementing policies and procedures requiring BAAs for such vendors, and keeping track of their BAAs through a database or other method,” writes attorney Sarah Beth S. Kuyers with national law firm Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo in legal analysis.

Resolution: According to the resolution agreement, ACH must reform its ways with a “robust” corrective action plan in addition to the large financial settlement. The compliance requirements under the CAP include:

• • Write new OCR-approved policies and procedures.
• • Perform an “enterprise-wide” risk analysis, manage the detailed risks, and implement new protocols with approval at each stage from HHS.
• • Address certain aspects of the HIPAA Privacy, Security, and Breach Notification Rules in the compliance planning.
• • Account for business associates and engage in BAAs with all partners and vendors.
• • Provide annual compliance reports to HHS.
• • Train all staff using HHS-endorsed educational materials.

Timeline: ACH must submit “all documents and records relating to compliance with this CAP for six (6) years from the effective date” to the OCR “for inspection and copying,” and whenever requested, according to the RA.

“The ACH settlement and RA highlight that the financial and intrinsic costs associated with a breach of patient information are much higher than the initial time and costs for a physician practice to implement a privacy and security program,” cautions Cincinnati-based attorney Paulette Thomas with national law firm Baker Hostetler in its Health Law Update blog.

Federal warning: “This case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA,” stresses OCR Director Roger Severino in a release.

Note: Read the ACH’s agreement at www.hhs.gov/sites/default/files/ach-signed-ra-cap.pdf.