A relatively quiet year for HIPAA enforcement is ending with a small flourish. The Office of Civil Rights of the Department of Health and Human Services (HHS) has announced two settlements with covered entities within the span of eight days.
The first settlement involved Advanced Care Hospitalists (ACH), a company that provides internal medicine physicians to hospitals and nursing homes in Florida. In 2014, ACH received notice from a local hospital that individually identifiable patient information had been posted on the website of a third party billing provider. ACH reported the breach, which ultimately led to an HHS investigation. HHS found that:
- The disclosure affected 9,225 patients.
- ACH failed to enter into a business associate agreement with one or more vendors who had access to protected health information (PHI).
- ACH did not implement privacy, security, or breach notification policies and procedures until after the breach was discovered.
- ACH failed to conduct a security risk analysis until after the breach was discovered.
To settle these matters, ACH agreed to pay a $500,000 penalty and fulfill its obligations under a supervised corrective action plan that focuses on the identified failures.
The second settlement followed from a complaint lodged with HHS against Pagosa Springs Medical Center (PSMC) in Colorado. The ensuing investigation revealed:
- The impermissible disclosure of the PHI of at least 557 individuals to a former employee whose access to PSMC’s information systems was not revoked upon termination of employment.
- The impermissible disclosure of the PHI of at least 557 individuals to a business associate without an appropriate business associate agreement.