Published on:

Lack of Business Associate Agreement Leads to $31k HIPAA Penalty

On April 20, 2017, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) announced that it had reached a settlement with the Center for Children’s Digestive Health (the Center) regarding the Center’s (alleged) violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Center is a small health system specializing in pediatric care with seven clinics, all located in Illinois.

The settlement was for $31,000, and included the Center agreeing to a Corrective Action Plan (CAP). The Center’s HIPAA violation stemmed from an arrangement between the Center and one of its business associates, FileFax, Inc. The two companies began their relationship in 2003, with FileFax storing records containing protected health information (PHI) for the Center. However, through a HHS compliance review in 2015, it was discovered that there was no signed Business Associate Agreement between the parties prior to October 2015.

A Business Associate Agreement is required whenever a HIPAA-covered entity forms a relationship with a business entity, pursuant to which PHI will be transmitted. The terms of the Business Associate Agreement must include information on how the PHI will be used by the business associate, how the PHI will be safeguarded and protected, and other such details.

The Center’s recent settlement is another reminder that HIPAA-covered entities need to assure not only that their own protocols protect PHI, but that these protections extend to anyone whom they will be providing PHI to, in any capacity. It also reminds providers that there is no injury necessary to give rise to HIPAA liability—meaning that even if PHI is de facto protected, it is still necessary to have the formal administrative safeguards in place, including having Business Associate Agreements wherever applicable.

While $31,000 is far from the largest HIPAA penalty incurred, it is still a heavy reminder for HIPAA-covered entities of any size that HIPAA is a serious regulation, and compliance with it is as important as ever.

Wachler & Associates has been a leader in the field of healthcare law since 1985, with a specialty in healthcare compliance matters, including HIPAA compliance. If you or your HIPAA-covered entity have any questions or concerns about business associate agreements or HIPAA compliance, please contact an experienced healthcare attorney at (248) 544-0888, or via email at wapc@wachler.com. You may also subscribe to our health law blog by adding your email at the top right of this page.