“You Are Known By The Company You Keep” — Including Vendors Without Business Associate Agreements

The concept that one is known by the company one keeps dates back to ancient times (the particular phrase is attributed to both Aesop and the Book of Proverbs).  But this simple aphorism continues to be true.  A recent example is the $500,000 that Advanced Care Hospitalists (ACH) had to pay to the Office for Civil Rights of the U.S. Department of Health and Human Services (OCR) to settle potential violations of the HIPAA Privacy and Security Rules.

ACH provides contracted internal medicine physicians to hospitals and nursing homes in west central Florida. ACH provided services to more than 20,000 patients annually.  Between November 2011 and June 2012, ACH engaged the services of an individual that represented himself to be a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). The individual provided medical billing services to ACH using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner!  On February 11, 2014, a local hospital notified ACH that patient information was viewable on the First Choice website, including name, date of birth and Social Security number.  ACH found 8,855 patients could have been affected by this breach.

OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH, and failed to adopt any policy requiring business associate agreements until April 2014. Although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or any other written HIPAA policies or procedures before 2014. In addition to the monetary settlement, ACH will undertake a robust corrective action plan that includes the adoption of business associate agreements, a complete enterprise-wide risk analysis, and comprehensive policies and procedures to comply with the HIPAA Rules.

What lessons to take away from ACH’s misfortune?

  • Adopt a policy of investigating all vendors (new ones and ones you are currently doing business with)
  • Adopt a policy of requiring HIPAA business associate agreements with all vendors handling PHI
  • Conduct a HIPAA risk analysis and staff training annually

In sum, do as that old Russian proverb suggests, “Доверяй, но проверяйTrust, but verify.”

Leave a Reply

Your email address will not be published.