What Happens When You Don’t …

In this week’s Know The Rules! I present a case study on what happens when you don’t perform your Business Associates Due Diligence.



Do you know the expression …



What you don’t know WILL hurt you!!

That is what Advanced Care Hospitalists (ACH), a contractor physician group in West Florida, found out the hard way after a Business Associate (BA) of theirs had a healthcare data breach in 2014.

Here Is What Happened

Between November 2011 and June 2012, ACH engaged the services of an individual who claimed to be a representative of Doctor’s First Choice billings Inc., a Florida-based provider of medical billing services. That individual used First Choice’s company name and website, but according to the owner of First Choice, those services were provided without the knowledge or permission of First Choice.

A local hospital notified ACH on February 11, 2014 that some patient information – including names, birth dates, Social Security numbers, and some clinical information – was viewable on the First Choice website. The website was shut down the following day.

In April 2014, ACH submitted a breach report to OCR about the impermissible disclosure of patients’ protected health information (PHI). Its initial breach report stated the PHI of 400 patients had been impermissibly disclosed, but later amended the breach report after it was discovered a further 8,855 patients’ PHI had also been impermissibly disclosed.

What the OCR Investigation Revealed

OCR investigated the breach and discovered that despite having been in operation since 2005, ACH DID NOT implement ANY HIPAA Privacy, Security, and Breach Notification Rule policies and procedures before April 1, 2014, and had failed to implement appropriate security measures.

ACH also failed to conduct a complete and thorough risk analysis until March 4, 2014.

All though PHI had been disclosed to the individual providing medical billing services, ACH failed to enter into a Business Associate Agreement (BAA). As a result of the lack of a BAA, ACH impermissibly disclosed the PHI of 9,255 patients to a third party for billing processing services – PHI that was subsequently exposed online.

As OCR Director Roger Severino said:

“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the Internet after it failed to follow basic security requirements under HIPAA”

Settlement Time

Advanced Care Hospitalists PL (ACH) agreed to pay $500,000 to the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS)

In addition to paying the fine, ACH has agreed to implement a robust 2 year Corrective Action Plan (CAP) to correct all HIPAA compliance failures …


You know what that means don’t you – that means that the government is going to be in their business for at least the next two years. Not a place I’d like to be!!

This organization could have saved themselves a whole lot of sleepless nights, financial expense and lost revenue before they signed the Business Associate Agreement.

Don’t let this happen to your organization. Know that your Business Associates have performed ALL of the HIPAA compliance activities.

Now I ask you …

Have YOU done YOUR Business Associates Due Diligence?

Do you need help getting started or with managing your Business Associate clients?


Schedule a call, I’m here to help!!