Settlement Highlights Need for HIPAA-Covered Entities to Have Business Associate Agreements in Place with PHI Vendors

By:   Sara Jodka

The Department of Health and Human Services’ Office for Civil Rights (ORC) announced an agreement to settle possible Health Insurance Portability and Accountability Act (HIPAA) violations with The Center for Children’s Digestive Health (CCDH). 

This settlement is worth noting is because it highlights the need for HIPAA-covered entities to obtain signed HIPAA-compliant business associate agreements (BAA) with all vendors prior to disclosing any protected health information. 

The settlement stemmed from an August 13, 2015 HIPAA compliance review of CCDH following an investigation of FileFax Inc., which was a vendor CCDH contracted with to store CCDH’s inactive patient records. The FileFax investigation revealed that it had not signed a business associate agreement with CCDH before CCDH turned over its patients’ protected health information (PHI). OCR’s subsequent compliance review of CCDH confirmed the same thing – no pre-PHI-disclosure vendor agreement between CCDH and FileFax. As a result, CCDH had impermissibly disclosed paper records relating to 10,728 patients to FileFax without officially advising FileFax, by means of a BAA, of its responsibilities to safeguard patient data in violation of HIPAA Rules. 

CCDH also failed to receive from FileFax any HIPAA-compliant assurances indicating that FileFax had implemented appropriate safeguards to ensure the confidentiality, integrity, and availability of PHI prior to CCDH’s disclosure.–is this correct–what did CCDH disclose? 

The investigation revealed that FileFax had been storing CCDH’s PHI since 2003, but the earliest BAA was dated October 2015. The issue: HIPAA-covered entities are only permitted to disclose the PHI of patients to business associates via an agreement ensuring proper protection of the PHI. In particular, any BAA must explain the business associate’s responsibilities to ensure PHI is secured and safeguards are implemented to prevent unauthorized disclosures. The business associate must also be advised of the allowable uses and disclosures of PHI and must agree not to use or disclose any PHI unless required to do so under the terms of the BAA or as required by law. 

The business associate must also notify the covered entity in the event that any PHI is accessed or disclosed along within the deadline time for doing so. The BAA must advise the covered entity that the failure to comply with HIPAA Rules can result in financial penalties being issued.

As part of the settlement, CCDH agreed to pay OCR $31,000 to resolve the potential HIPAA violations and to adopt a corrective action plan that includes updating policies and procedures, conducting staff training on those policies and procedures and ensuring employees are responsible for obtaining HIPAA-compliant BAAs from all business associates.
Please feel free to contact Sara Jodka (Of Counsel) in our Columbus office at 614-744-2943.