November 17, 2019

November 15, 2019

Subscribe to Latest Legal News and Analysis

Company’s Vendor Suffers Breach, No Business Associate Agreement, $500K OCR Settlement

A Florida staffing agency which provides physicians to hospitals and nursing homes, has agreed to a $500,000 settlement with the U.S. Department of Health and Human Services, Office for Civil Rights. The settlement comes after an investigation revealed that the company, Advanced Care Hospitalists, disclosed the protected health information of 9,255 people to a third-party billing company without having a business associate agreement in place. Specifically, patient names, date of births and social security numbers were provided to the billing company. The settlement followed a data breach at the billing company. Namely, the PHI was exposed on the billing company’s website.

Putting it Into Practice:  This settlement is a reminder that covered entities and business associates need to have Business Associate Agreements in place with vendors and subcontractors that have access to PHI. Companies should also take time to confirm that those third parties have the required safeguards to protect the privacy and confidentiality of PHI.

Copyright © 2019, Sheppard Mullin Richter & Hampton LLP.

TRENDING LEGAL ANALYSIS


About this Author

Matthew Shatzkes Attorney New York Sheppard Mullin
Associate

Matthew Shatzkes is an associate in the Corporate Practice Group in the New York office of Sheppard Mullin and is a member of the firm’s healthcare practice team.

Matthew Shatzkes advises healthcare entities and not-for-profit corporations on a wide range of business, regulatory and transactional matters. Mr. Shatzkes advises clients on issues relating to entity formation, governance, corporate transactions (mergers, asset sales, dissolutions), and compliance with various federal and state laws, including regulatory compliance matters. Mr. ...

212-634-3062