Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Physician Group Cited For Sharing Patient Data Without Business Associate Agreement

Posted on December 12, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A group providing hospitalist physicians on contract has learned the hard way that sharing PHI with vendors is a no-no unless the vendor has signed a business associate agreement. The group, Advanced Care Hospitalists, which serves west-central Florida, has been fined $500,000 for this oversight along with other derelictions of its HIPAA duties.

Between November 2011 and June 2012, ACH farmed out medical billing to an individual identifying himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc. (In an unusual twist, this individual apparently signed the ACH deal without knowledge or permission of First Choice’s owner, which raises other questions beyond the scope of this article.)

Later, in February 2014, a hospital let ACH know that patient information was viewable on the First Choice website, including name, date of birth and social security number. Of course, ACH’s first move was to ask First Choice to take the data off of the website. Then, it surveyed the damage done.

After assessing the situation, ACH notified the HHS Office for Civil Rights about the breach. The group eventually concluded that more than 9,000 patients could have been affected. In response, OCR conducted an investigation into the breach — and reviewers weren’t exactly happy with what they found.

The OCR concluded that ACH never entered into a business associate agreement with the individual, which HIPAA requires.

What’s more, it found that despite being in business since 2005, ACH didn’t have a policy requiring that it sign business associate agreements with relevant vendors until April 2014 (another HIPAA foul) and had neither conducted a risk analysis nor implemented security measures or other written HIPAA policies before 2014 (additional, major HIPAA fouls).

Given the extent to which its HIPAA compliance, well, didn’t exist, OCR is asking for more than the $500K.  ACH has agreed to a corrective action plan including the adoption of business associate agreements, a thorough risk analysis cutting across its entire business and the development of comprehensive policies and procedures needed to comply with HIPAA rules.

Perhaps if ACH had demanded that the unnamed medical billing contractor sign a business associate agreement, it might have avoided the patient data breach, or perhaps not. If nothing else, though, the hospitalist group might have stood a better chance of knowing with whom it had actually contracted with, which certainly wouldn’t have hurt.

The Rise of Urgent Care and Retail Clinics – Or Is It The Rise of Convenient Healthcare?

Posted on December 5, 2018 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It doesn’t take a rocket scientist to see that primary care faces more challenges than it’s ever faced before. Not the least of which is being one of the lowest paid medical professions with rising medical school prices which encourages more doctors to choose specialty medicine and eschew primary care. What’s astounding is that this trend stands in stark contrast to what patients want from primary care. Patients want more convenience while the medical establishment is turning out fewer primary care doctors which creates a shortage of doctors and long wait times for primary care visits.

As Lydia Ramsey notes in her tweet below, urgent care offices are popping up everywhere. Combine that with retail clinics and the future of primary care is facing a lot of serious questions.

The reality is that most patients don’t want to go to urgent care or retail clinics. They’d much rather go to their PCP. Why don’t they go? The simple answer is convenience.

It’s much more convenient to hit the urgent care or retail clinic than it is to go to their primary care doctor. Some of this has to do with a shortage of primary care doctors which means long wait times to be seen. In other cases, it’s the really poor experience patients have had visiting their doctor in the past. I don’t need to list off the litany of bad patient experiences that we’ve all had when visting doctors. It’s like a universal PTSD experience that everyone has gone through.

Dave Chase offered his take on the rise of urgent care:

I’m not sure about his reference to the “devastation of primary care.” I’d be interested to hear why he thinks primary care has been “devastated.” Is he referring to over-regulation and underpayment? Is he referring to the shortage of docs I mention above? Is he referring to the rubber stamp PCP visits that are required to see a specialist in many insurance plans and in many ways ruined the PCP visit?

No doubt, primary care has been one of the least appreciated medical professions. However, primary care doctors didn’t do themselves any favors either. In many ways it reminds me of what Uber and Lyft have done to the taxi industry. Taxis could have embraced all the conveniences that Uber and Lyft provide, but they chose not to do so. Why not? Because they felt like they didn’t need to change since they had a virtually monopoly on the industry. Would I rather get a taxi? Yes, but I don’t because Lyft is more convenient. Sounds a lot like PCPs, doesn’t it? We’d rather go to a PCP, but an urgent care or retail clinic is more convenient.

Going back to Dave Chase’s comment that “If there’s proper primary care in a community and ethical hospitals, there’s no need for separate urgent care.” I might agree if he’d say there was less need for a separate urgent care. Urgent care does some really great work in off hours. However, the real problem is defining what he calls “proper primary care.”

I do think that if PCPs would have embraced better patient experiences, urgent cares and retail clinics would be much smaller. That said, does anyone think we can put that genie back in the bottle? I don’t think so. I believe our future healthcare system is going to have urgent care, retail clinics, and primary care.

The real question is what can PCPs do to make sure they thrive in this new mixed environment? I’d suggest that the first place to start is convenience.