As a follow up to my previous blog on whether hospital-based physicians need HIPAA programs (such as pathologists, anesthesiologists and radiologists), we are hearing about a major breach of medical records regarding a pathology billing company in the Boston area.
According to an article posted by PHIPrivacy.net, it appears the billing company, Goldthwaite Associates of Marblehead, MA, dumped an unknown number of patient records originating from Pioneer Valley Pathology Associates, P.C. in the trash section of a Georgetown transfer station. Goldthwaite had provided billing services to the pathology group, and had recently been sold to another company when the breach occurred.
Several Boston area hospitals (Holyoke Medical Center, Carney, Milford Regional, and Milton Hospital) all used Pioneer Valley Pathology Associates for pathology services. The hospitals were notified of the breach this past August, and are performing their own investigation. According to PHIPrivacy.net, Holyoke, Carney and Milton had posted press releases at one point on their websites, but it appears they have since been taken down. The copies available on the PHIPrivacy website state that the records contained individuals’ full names, addresses, dates of birth, Social Security numbers, insurance information (including policy numbers), patient identification numbers, as well as protected health information such as diagnoses relating to pathology testing.
The question for the hospitals is whether they can be held responsible for a breach that occurred through a business associate of the pathology group. The answer may depend on the type of arrangement the pathology group had with the hospital, and whether they had established an “Organized Health Care Arrangement.” (For details, see my blog of 9/14/11, “Do Hospital-Based Physician Groups Need an OHCA to Comply with HIPAA?”)
Typically, hospital-based physician groups will contract with hospitals to perform services, but if they use standard transactions for billing, they are considered covered entities. They generally use billing companies–their business associates (BAs)–to perform the actual billing. Under the HITECH Act, covered entities must have business associate agreements in place with their BAs, and BAs are now subject to many of the regulations of HIPAA, including having their own HIPAA privacy and security policies and procedures. Covered entities and BAs share the responsibility of keeping personal health information (PHI) secured.
The Massachusetts Attorney General’s office is investigating this matter, and it remains to be seen who actually dumped the records, and whether charges will be brought against the prior or current owners of the billing company, the pathology group, or possibly the hospital.
Make sure your patients’ PHI is protected from unauthorized use or access. Does your organization utilize billing companies, do you have business associate agreements in place, and are you satisfied that they have, and are following, their own HIPAA policies and procedures?