Florida physicians group fined $500K after patient privacy breach by vendor it hired

  • Small
  • Medium
  • Large

A medical group practice in Lakeland, Fla., will pay a $500,000 fine to settle potential HIPAA violations stemming from its hiring of someone fraudulently representing a vendor.

Advanced Care Hospitalists contracts with hospitals and nursing homes to provide internal medicine physicians. Between November 2011 and June 2012, the practice hired an individual who claimed to be a representative of Doctor’s First Choice Billings to provide medical billing services. It was later revealed that individual acted without First Choice's knowledge.

In February 2014, a hospital that contracted with the practice notified it that patient information — including names, dates of birth and Social Security numbers — was viewable on First Choice's website.

The practice originally determined 400 individuals were affected in the breach; however, it later filed a supplemental breach report with HHS' Office for Civil Rights indicating 8,855 more patients could have been affected.

A federal investigation found the practice didn't enter into a business associate agreement with the individual who provided the medical billing services until April 2014. HIPAA requires covered entities to establish these types of agreements with third-party vendors to ensure that patients' protected health information is appropriately secured.

The investigation also found that the practice did not conduct a risk analysis or implement security measures as required under HIPAA until 2014.  

As part of the settlement, the medical practice will implement a corrective action plan to adopt business associate agreements, conduct an enterprisewide risk analysis and implement comprehensive policies and procedures to comply with HIPAA.

Copyright © 2022 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars