OCR reaches $500,000 settlement with Florida contractor physician’s group

Advanced Care Hospitalists PL (ACH) in Lakeland, Florida, has agreed to pay $500,000 and undergo a corrective action plan in a settlement with the HHS Office for Civil Rights (OCR) for its alleged violations of HIPAA’s Privacy and Security Rules, OCR announced this week.

ACH provides contracted physicians to hospitals and nursing homes. During the time of the alleged HIPAA violations, they served 20,000 patients in west central Florida. From November 2011 to June 2012, ACH used the medical billing services of an individual who claimed to be a representative of a company named Doctor’s First Choice Billings, Inc. The individual provided medical billing services to ACH using First Choice’s name allegedly without any knowledge or permission from First Choice’s owner. 

In February 2014, ACH was notified by a local hospital that protected health information (PHI), including name, date of birth, and Social Security number was viewable on the First Choice regularly. ACH identified at least 400 affected individuals and asked First Choice to remove the PHI from its website. ACH later determined that an additional 8,855 patients may have had their PHI exposed.

OCR’s investigation of the breach found that ACH never entered a business associate agreement (BAA) with the individual supposedly from Doctor’s First Choice as required by HIPAA. ACH also failed to adopt a policy requiring BAAs, to implement any other written HIPAA policies or procedures, or to perform a HIPAA-required risk analysis before 2014.

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino in the statement.