A medical group practice in Lakeland, Fla., will pay a $500,000 fine to settle potential HIPAA violations stemming from its hiring of someone fraudulently representing a vendor.
Advanced Care Hospitalists contracts with hospitals and nursing homes to provide internal medicine physicians. Between November 2011 and June 2012, the practice hired an individual who claimed to be a representative of Doctor’s First Choice Billings to provide medical billing services. It was later revealed that individual acted without First Choice's knowledge.
In February 2014, a hospital that contracted with the practice notified it that patient information — including names, dates of birth and Social Security numbers — was viewable on First Choice's website.
The practice originally determined 400 individuals were affected in the breach; however, it later filed a supplemental breach report with HHS' Office for Civil Rights indicating 8,855 more patients could have been affected.
A federal investigation found the practice didn't enter into a business associate agreement with the individual who provided the medical billing services until April 2014. HIPAA requires covered entities to establish these types of agreements with third-party vendors to ensure that patients' protected health information is appropriately secured.
The investigation also found that the practice did not conduct a risk analysis or implement security measures as required under HIPAA until 2014.
As part of the settlement, the medical practice will implement a corrective action plan to adopt business associate agreements, conduct an enterprisewide risk analysis and implement comprehensive policies and procedures to comply with HIPAA.