Provided by:  Jennifer Kirschenbaum, Esq.

December 6, 2018

 

A Florida Hospitalist staffing company paid the Office for Civil Rights $500,000 for failing to have a Business Associate Agreement in place with its billing company.  The press release is a bit confusing (to me) because I'm not sure the biller was exactly authorized or rendering services above board, but the significant gist is, if there is a breach of patient information and the covered entity hasn't dotted I's, crossed T's, there may be hefty monetary exposure. Here, that number was $500,000 owed to the federal government for failure to have a Business Associate Agreement in place.  We could argue over whether the government would have found other reasons to assess that amount if a BAA had been in place...I would take the affirmative position there....

Post Mortem - 

Transgression - 
"On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, date of birth and social security number.  In response, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the protected health information from its website.  ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, after further investigation, ACH filed a supplemental breach report stating that an additional 8,855 patients could have been affected."
The Reveal - 

"OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, as required by HIPAA and failed to adopt any policy requiring business associate agreements until April 2014.  Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014.  The HIPAA Rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an entity’s electronic protected health information."


Here is the press release - https://www.hhs.gov/about/news/2018/12/04/florida-contractor-physicians-group-shares-protected-health-information-unknown-vendor-without.html.     


Reminder for easy fixes - 
For basic forms and agreements you need every day, we have them available for a flat fee on our compliance order page - here https://www.kirschenbaumesq.com/page/practice-compliance.  Don't forget you want a Business Associate Agreement with indemnification in your favor - shifting responsibility for exposure to the vendor if the vendor creates the exposure!   10% off all forms ordered in December.  

*************************************************************
 

NY Mandated Sexual Harassment Policies and Training 
To order Policies and Training

CLICK HERE

Learn about the law and what you need by watching our Free webinars: 
Webinar 1: CLICK HERE NYS Free Sexual Harassment Policies: Employer Beware (overview in 6 minutes) 
AND
 
Webinar 2: CLICK HERE NY Sexual Harassment Training Requirements: Protecting Your Business from your Employees