Multispecialty group Advanced Care Hospitalists has agreed to pay a $500,000 fine to HHS for sharing patient information with a third-party vendor without proper safeguards in place.
That action resulted in the breach of data from as many as 9,000 patients, according to HHS, which investigated the case and concluded that Advanced Care Hospitalists is guilty of multiple potential HIPAA violations.
Between November 2011 and June 2012, Advanced Care Hospitalists worked with someone who said he was from third-party billing company Doctor's First Choice Billings. The Lakeland, Fla.-based physician group gave the person protected health information for processing bills, according to an HHS investigation. Then, in February 2014, a hospital told Advanced Care Hospitalists that personal, demographic and clinical information from its patients was listed on the billing company's website.
But the two organizations did not have in place a business associate agreement, used by covered entities to allow them, under HIPAA, to share protected health information with third parties.
Furthermore, Advanced Care Hospitalists also broke HIPAA rules by failing to put in place proper security measures. Until years after the breach, Advanced Care Hospitalists, operational since 2005, had never conducted a risk analysis or implemented security safeguards.
"This case is especially troubling because the practice allowed the names and Social Security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA," Roger Severino, director of HHS' Office for Civil Rights, said in a statement.
To resolve the violations, Advanced Care Hospitalists not only paid a fine to the Office for Civil Rights but also agreed to a corrective action plan. The physician group, which was not immediately available for comment, did not admit to any wrongdoing.
Compared to another recent data-breach settlement with the OCR, Advanced Care Hospitalists' fine is proportionally large in terms of money per person affected. In October, Anthem agreed to pay the OCR $16 million over a 2015 data breach that affected almost 79 million people. The $500,000 fine Advanced Care Hospitalists agreed to comes to about $54 per person affected, while Anthem's fine comes to just about 20 cents per person.
The Advanced Care Hospitalists breach was one of 314 reported to the OCR in 2014. From the beginning of 2018 through the end of November, there have been 333 breaches reported to the OCR.