OCR has continued to hand out settlements to close out 2018. Maybe two more isn’t what you would consider raining. At the rate these last few announcements have come out vs normal rates, though, it is definitely raining! While these last two do pale in comparison to the huge Anthem settlement, they certainly bring home more messages. The point Director Severino made previously was they were looking to set examples. What lessons are they trying to teach us with the Florida and Colorado settlements announced in December?
On December 4, 2018, OCR announced a settlement with Advanced Care Hospitalists PL out of Florida who agreed to pay $500,000 and enter a 2-year corrective action plan (CAP). The Severino quote in this press release says:
“This case is especially troubling because the practice allowed the names and social security numbers of thousands of its patients to be exposed on the internet after it failed to follow basic security requirements under HIPAA,” said OCR Director Roger Severino.
Yes, we agree. This one is troubling. Here’s what happened.
Advanced Care puts contracted internal medicine physicians in hospitals and nursing homes. They are hospitalists that work in different sites based on the contracts. They have to bill for their services just like anyone else so they hired Doctor’s First Choice Billings, Inc. to do their billing. This is something many practices do and there are a lot of good companies out there to do this for you. Today most of them call themselves RCM providers for revenue cycle management.
Here is where things went awry, though. We all know that those companies are business associates (BAs). Apparently, no one in charge of such things for Advanced Care knew. They did no due diligence and had no business associate agreement (BAA) in place. If they had done those steps this whole thing would likely have been avoided. (Well, of course, it would because they probably wouldn’t have had all these other problems either.)
The person that they hired, we will call Sam T. Scammer, was not really working for First Choice. Sam was using the First Choice name and system but doing the billing on the side, not really through Doctor’s First Choice directly. IKR! This arrangement took place from November 2011 through June 2012.
It isn’t clear why they stopped using Sam in June 2012. What we do know is that on February 11, 2014, one of their hospitals notified Advanced Care that they had patient information viewable on the First Choice website.
Advanced Care does their investigation and says they were able to identify at least 400 affected individuals. They asked First Choice to remove the protected health information from its website. Advanced Care filed a breach notification report with OCR on April 11, 2014, saying we notified the 400 and the problem is solved. Note, the barely under 500 number.
Apparently, they hadn’t really looked deep enough at the problem even though they had taken the full 60 days. They filed a supplemental breach report with OCR stating that an additional 8,855 patients could have been affected.
What were the violations that accounted for the settlement? It was raining violations in this one.
- No BAA in place for First Choice or Sam T Scammer.
- No policy or procedure requiring any BAAs. So, they probably had other BAAs missing too.
- Never done a risk analysis until March 4, 2014, even though they had been in business since 2005 when the requirement was implemented.
- Didn’t have security measures in place (since they never did a risk analysis) until April 1, 2014.
- Never had any written policies and procedures until April 1, 2014. Wonder why they got them then?
They have to be lucky that they only got hit with $500K. Their 2 year CAP is basically requiring them to build a complete privacy and security program according to OCR standards in 1-year and be watched for another year. You have to assume the stuff they put in place trying to CYA in 2014 was not really the type of program required. It is impossible to do that in a case like this in 2 months.
I have seen this happen before. They throw something together to show they did something but what happens after that matters. They made some effort but to get this fine and settlement how much effort did they really make after the problem was found? Why hadn’t they done it before it happened? These are questions we can’t answer but based on our experience we would assume the answers aren’t acceptable based on this settlement.
Settlement #2 – Colorado case
On December 11, 2018, OCR announced a settlement with Colorado-based Pagosa Springs Medical Center who agreed to pay $111,400 (yes, that amount) and a 2 year CAP. The press release included Severino’s customary quote trying to bring home whatever lesson we are supposed to learn by saying:
“It’s common sense that former employees should immediately lose access to protected patient information upon their separation from employment,” said OCR Director Roger Severino. “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.”
So there is in this one, “This case underscores the need for covered entities to always be aware of who has access to their ePHI and who doesn’t.” We have seen this problem before when Memorial Hospital in Florida had something similar occur with their affiliated physician practice’s staff not being disabled. That is the one we now call the “5 o’clock somewhere case” that we have discussed many times. What happened in Colorado, though, involves a staff member of the hospital itself. Interesting that the BA thing slips in here also.
A former PSMC employee continued to have remote access to PSMC’s web-based scheduling calendar after they were no longer employed by the medical center. The breach involved 557 individuals. That is an unfortunate number for them. The ex-employee apparently only access the calendar twice, on July 8 and September 10, 2013, but the damage was done at that point.
The thing that OCR also throws in here is that the web-based scheduling calendar vendor did not have BAA in place either! Double trouble on this one. Especially, when you find out that the scheduling calendar vendor was…. wait for it….. GOOGLE! <G Suite HIPAA Implementation Guide>
I don’t even think you could have a BAA with Google back then. They didn’t have a BAA but they probably never even thought of one just like the Advanced Care folks. The only saving grace for this group is it wasn’t publicly accessible. This same thing happened WAY back in 2012 when Phoenix Cardio paid the first settlement for independent medical practices. Phoenix paid $100,00 way back then with a 1-year CAP.
Again, we have a 2-year CAP that requires them to build a proper program. The interesting thing in this CAP was the specific details about BA management.
PSMC shall revise its policies and procedures relating to Business Associates (Business Associate Policies and Procedures) to:
1) designate one or more individual(s) who are responsible for ensuring that PSMC enters into a business associate agreement with each of its business associates, as defined by the HIPAA Rules, prior to PSMC disclosing protected health information (PHI) to the business associate;
2) create a process for assessing PSMC’s current and future business relationships to determine whether each relationship is with a “business associate,” as that term is defined under the HIPAA Rules;
3) create a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates;
4) create a standard template business associate agreement;
5) create a process for maintaining documentation of each business associate agreement for at least six (6) years beyond the date when the business associate relationship is terminated; and
6) create a process to limit disclosures of PHI to business associates to the minimum necessary amount of PHI that is reasonably necessary for business associates to perform their duties.
I highlighted some of the requirements we have gotten push-back from people when we tell them they need to have them. Ahhh vindication feels so very good!
So there you have the latest lessons to learn. These settlements are by far the best guidance we can get out of OCR. Any time someone says they don’t tell you what is expected, send them to the settlements page on the HHS website. It is loaded with examples of what to do and what not to do. Based on this information, you should also make sure they understand BAs and BAAs because they may very well have no understanding.