Company’s Vendor Suffers Breach, No Business Associate Agreement, $500K OCR Settlement
A Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party billing company without having a business associate agreement in place. Specifically, patient names, date of births and social security numbers were provided to the billing company. The settlement followed a data breach at the billing company. Namely, the PHI was exposed on the billing company’s website.
Putting it Into Practice: This settlement is a reminder that covered entities and business associates need to have Business Associate Agreements in place with vendors and subcontractors that have access to PHI. Companies should also take time to confirm that those third parties have the required safeguards to protect the privacy and confidentiality of PHI.