Reed Smith Client Alerts

A Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entity’s recent settlement with the U.S. Department of Health and Human Services Office for Civil Rights (OCR) highlights the need for entities subject to HIPAA to enhance their focus on compliance, including with respect to their relationships with business associates.

Authors: Kimberly J. Gold Brad M. Rostolsky Robert Kantrowitz

Compliance with HIPAA requires covered entities to maintain appropriate administrative, technical, and physical safeguards to protect protected health information (PHI), including, but not limited to, executing business associate agreements (BAAs) with vendors who have access to PHI, implementing HIPAA compliance policies and procedures, and conducting a security risk analysis.

On December 4, 2018, the OCR announced a settlement with a covered entity based on allegations that the entity failed to implement adequate security measures and execute a BAA, which led to an unauthorized disclosure of PHI. As a result, the entity had to pay a substantial sum to the OCR and enter into a corrective action plan.

Specifically, between 2011 and 2012, the covered entity, a Florida provider of contracted internal medicine physicians to hospitals and nursing homes, engaged the services of an individual to provide billing services based on the individual’s assertion that he was a representative of the billing company. Ultimately, it was discovered that the individual made this representation without the knowledge or permission of the medical billing company.