Another government settlement demonstrates that not having a HIPAA compliance program can be costly. U.S. Department of Health and Human Services (HHS)'s Office for Civil Rights (OCR) announced, on Dec. 4, 2018, that Advanced Care Hospitalists PL (ACH) agreed to pay a whopping $500,000 to settle allegations that it violated HIPAA. ACH, based in Florida, provides physician contractors to hospitals and nursing homes. In 2011 and 2012, ACH hired an individual as a business associate to provide medical billing services, but allegedly did not enter into a HIPAA business associate agreement with that individual. In 2014, a local hospital discovered that ACH's patient information was viewable on the billing company's website. After investigation, ACH determined that over 8,000 patients could have been affected.
OCR conducted an investigation, and determined that ACH had not conducted a HIPAA security rule risk analysis, had not developed security measures and had not developed any written HIPAA policies or procedures before 2014. Additionally, there was no business associate agreement with the individual providing billing services. In addition to paying half a million dollars for these oversights, the resolution agreement requires ACH to adopt a corrective action plan that includes, among other things, development of policies and procedures, and creation of a risk analysis and risk management plan that must be updated annually. This most recent OCR settlement agreement confirms, once again, that it is critical for healthcare companies to assess risk and take HIPAA compliance obligations seriously.