[ Wednesday, December 05, 2018 ]
Jeff [12:59 PM]
Here's a case similar to Raleigh Orthopaedic case
: Advanced Care Hospitalists hired a guy who they thought worked for Doctor's First Choice Billing to help them with their billing and coding. Apparently, the guy was a fraud. But that's not important: what's important is that ACH didn't get a BAA with First Choice, and PHI ended up exposed on the First Choice website. ACH notified OCR that at least 400 and as many as 9000 patients potentially had their data exposed.
The breach notification led to an OCR investigation, which revealed a lack of BAA (and, in fact, a lack of a policy to get BAAs). Upon further review, OCR also found out that ACH had never done a risk assessment either.
Net result: a $500,000 fine. And a big black eye.
If ACH had policies and procedures, a decent HIPAA compliance program, and had entered into a BAA with the guy in the first place, but still got snookered because the guy was a fake, they would've still had a reportable breach, but I'm pretty certain they'd be half a million bucks richer (not to mention what they probably spent on lawyers dealing with this, plus the PR hit).
Blogger: HIPAA Blog - Edit your Template