Unfortunately, today’s post is about someone finding themselves on the naughty list. Not Santa’s, though getting just a lump of coal in the stocking would be preferable. Nope, this one is going to hurt a little bit.
Back in 2011, Advanced Care Hospitalists, a group practice in Lakeland, Florida, hired someone to help with their billing. That this person was not even affiliated with the billing company that they supposedly represented was the first problem.
Then a couple of years later, one of the hospitals where these physicians worked reached out to the practice and said, ‘Uh, patient information – they were your patients and ours – is up and available and visible on this billing company’s website. Names, birthdates, social security numbers. You might want to look into this.’
The practice initially told the HHS Office for Civil Rights that it had checked and found about 400 individuals to be affected by the breach. That initial number might have been influenced by more hope than diligent fact checking, because at the time, the reporting threshold was 500 patients. They had to subsequently file an amended report that indicated it was actually 8,855 patients who had been exposed.
That little incident triggered a federal investigation, which found that the practice didn’t get a HIPAA Business Associate Agreement (BAA) in place with this rouge biller until 2014. Nor did it conduct the risk analysis or implement the security measures mandated by law until that same year.
As such, the practice now gets to make a little non-voluntary contribution of $500,000 to the US government.
Yes, this group ended up on the wrong list. To stay off that list, make your own list and check it twice. Make sure those pesky little compliance details are buttoned-up before you get a very expensive reminder.