Provider hit with $31,000 HIPAA settlement over lack of business associate's agreement
The failure of one Illinois specialist to procure a business associate's agreement has cost it more than $30,000 in a settlement with The U.S. Department of Health and Human Services
The Center for Children’s Digestive Health, a small, for-profit pediatric subspecialty practice that operates seven clinic locations in the Chicago area, had contracted in 2003 with FileFax, a Northbrook, Illinois-based firm that stores medical records.
Despite the fact that the files contain protected health information, an investigation from HHS' Office for Civil Rights discovered that neither party could show a signed business associate agreement prior to Oct. 12, 2015.
In May of 2015, the Illinois Attorney General brought suit against FileFax for improper handling of PHI, charging that its employees had tossed the paper medical records of thousands of patients into an unlocked dumpster.
That summer, during a compliance review of Center for Children’s Digestive Health, OCR found that CCDH had "failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI" that was in the company's possession.
[Also: CIO: Managing business associates, 3rd-party privacy risk isn't so easy]
Despite not having a BAA in place, the provider shared the records of at least 10,728 people, according to OCR.
To settle the charge, the provider will pay HHS $31,000 and enter into a corrective action plan to develop policies and procedures in compliance with federal privacy and security standards, educate its staff about proper handling of PHI and provide HHS a list of all of its business associates, with a signed BAA for each.
Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com