Medical Provider Faces $500K Fine for HIPAA Violation: How It Could Have Been Avoided

Advanced Care Hospitalists PL worked with a contractor that positioned itself as affiliated with Doctor’s First Choice Billings, Inc. ACH received medical billing services from this vendor but was later informed that it was not actually an authorized First Choice representative.

The first part of the investigation revealed that 400 patients had information such as their name, social security number and date of birth exposed to that contractor. By the time they finished looking into this situation, 8,855 patients may have been at risk. When OCR looked into the case, it found that ACH didn’t have a business associate agreement in place with this contractor. They didn’t have a policy of establishing these agreements until after the breach occurred. The company also failed to meet other HIPAA requirements, such as a risk analysis and written HIPAA policies. ACH has to pay $500,000 and put a corrective action plan in place to prevent a similar situation from happening in the future.

The Financial Risks of HIPAA Violations

$500,000 plus the expenses associated with the corrective action plan is a significant sum for many medical providers. These companies should be aware that HIPAA violations pose a substantial risk to normal operations and could lead to bankruptcy or the closure of the business.

The Corrective Action Plan

The corrective action plan that ACH is following has three parts:

1. Risk Analysis and Risk Management

This part of the agreement covers an enterprise-wide risk analysis that looks at all potential points of vulnerability. ACH needs to create a risk management plan that’s approved by the HHS and evaluate it every year to account for new risks.

2. Policies and Procedures

Their policies and procedures must meet HIPAA requirements, with a focus on privacy, security and breach notification. The HHS will review all of these changes and let AHS know whether they’re approved or not. If HHS does not approve, the policies get revised based on their feedback.

3. Adoption and Distribution of Policies and Procedures

ACH needs to officially adopt the accepted policies and procedures within 60 days. All ACH staff need to be notified of the changes, and any new employees receive this information within 30 days of starting their job. ACH must notify all employees within 30 days of any further changes to these policies.

Proactively Addressing HIPAA Requirements

ACH did a lot of things wrong leading up to the breach. Companies can proactively avoid this kind of situation by looking at their policies, procedures and risks to see whether they are adhering to the standards put in place by HIPAA. A routine risk assessment can go a long way toward HIPAA compliance.

The Benefits of Working With a Managed IT Services Company Specializing in HIPAA Compliance

Sometimes the resources required for complying with all HIPAA requirements go beyond a company’s in-house capabilities. If they dedicate their staff members to working on this project, other essential duties are unfulfilled. A managed IT services provider with HIPAA specialization empowers these businesses with the experts needed to address potential issues quickly and efficiently.

HIPAA violations are a costly and concerning matter, especially for small businesses operating in the healthcare sector. Working with trusted and knowledgeable partners puts companies on the right path to becoming and remaining compliant.