HEALTHCARE PRIVACY
Company’s Vendor Suffers Breach, No Business Associate Agreement, $500K OCR Settlement
Posted on December 20, 2018
A Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party billing company without having a business associate agreement in place. Specifically, patient names, date of births and social security numbers were provided to the billing company. The settlement followed a data breach at the billing company. Namely, the PHI was exposed on the billing company’s website.
PUTTING IT INTO PRACTICE: This settlement is a reminder that covered entities and business associates need to have Business Associate Agreements in place with vendors and subcontractors that have access to PHI. Companies should also take time to confirm that those third parties have the required safeguards to protect the privacy and confidentiality of PHI.
States Taking Actions Against Health IT Companies Over Data Breaches
Posted on December 18, 2018
Twelve state attorneys general have brought suit against two medical Information Technology companies. The AGs allege that the companies, Medical Informatics Engineering Inc. and its subsidiary, NoMoreClipboard LLC, had poor security practices that led to medical data breaches. Those breaches impacting close to four million patients. This case is the first coordinated multistate attorney general Health Insurance Portability and Accountability Act related action. The AGs are accusing the companies of not taking adequate steps to protect information, and failing to timely notify patients of known breaches.
Specifically, in the complaint the AGs claim that that the companies failed to have an active security monitoring and alert system, and that they did not encrypt PHI within their systems. The AGs also allege that no assessments of the potential risks relating to PHI was done, nor was HIPAA training conducted. Finally, the complaint alleges that the companies did not have or adhere to reasonable and appropriate standards for protecting patient information. This case evidences a trend of states enforcing consumer and data privacy laws.
PUTTING IT INTO PRACTICE: This complaint demonstrates the expectations regulators have regarding the types of security measures companies should have in place for protecting PHI. Multistate litigation enforcing HIPAA violations could significantly increase the potential penalties applicable to companies that do not have the proper safeguards in place.
                      41 Eye on Privacy 2018 Year in Review