Lack of Business Associate Agreement Leads to $31k HIPAA Penalty
On April 20, 2017, the Department of Health and Human Services, Office for Civil Rights (HHS OCR) announced that it had reached a settlement with the Center for Children’s Digestive Health (the Center) regarding the Center’s (alleged) violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The Center is a small health system specializing in pediatric care with seven clinics, all located in Illinois.
The settlement was for $31,000, and included the Center agreeing to a Corrective Action Plan (CAP). The Center’s HIPAA violation stemmed from an arrangement between the Center and one of its business associates, FileFax, Inc. The two companies began their relationship in 2003, with FileFax storing records containing protected health information (PHI) for the Center. However, through a HHS compliance review in 2015, it was discovered that there was no signed Business Associate Agreement between the parties prior to October 2015.
A Business Associate Agreement is required whenever a HIPAA-covered entity forms a relationship with a business entity, pursuant to which PHI will be transmitted. The terms of the Business Associate Agreement must include information on how the PHI will be used by the business associate, how the PHI will be safeguarded and protected, and other such details.