Summary
On April 20, 2017, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced that Children’s Digestive Health (CDH) agreed to pay HHS $31,000 for its failure to have a business associate agreement (BAA) in place with a third-party vendor that stored inactive paper medical records for patients of CDH. There was no allegation of any breach of protected health information (PHI) of any CDH patient.
CDH operates a pediatric subspecialty practice in seven locations in Illinois. In August 2015, HHS initiated a compliance review of CDH to determine whether its disclosure of its inactive paper medical records to a company called Filefax for storage was permissible under the HIPAA Privacy Rule. CDH began its relationship with Filefax in 2003. Neither CDH nor Filefax could produce an executed BAA until 2015. In the interim, the PHI of slightly less than 11,000 individuals was transferred from CDH to Filefax.
As part of CDH’s monetary settlement with HHS, it entered into a two-year corrective action plan (CAP). The CAP requires CDH to do each of the following:
-
develop, maintain and revise, as necessary, its written policies and procedures that govern the HIPAA Privacy and Security Rules, specifically including revised policies and procedures on BAAs, and distribute them to its workforce;
-
with respect to BAA policies and procedures: designate a person(s) responsible for ensuring CDH enters into a BAA with each of its business associates; create a template BAA; develop processes to assess current and future relationships and enter into a BAA prior to disclosing PHI; and maintain documentation of BAAs for six years after the business associate relationship terminates;
-
provide to HHS a list of all business associates and copies of executed BAAs and service agreements with business associates; and
-
provide assurance to HHS, upon the closing of any asset sale that will result in CDH no longer being a HIPAA covered entity, that any PHI CDH continues to possess or control after closing will be appropriately safeguarded.
While the fine agreed to by CDH is “small” (as compared to other recent settlements announced by HHS (see, e.g., Health Care alert, April 17, 2017 and Health Care alert, February 21, 2017), this settlement is unprecedented as there was no reported breach. There was “only” the absence of an executed BAA between CDH (a covered entity) and Filefax (a CDH business associate).
The CDH settlement is a stark reminder to all covered entities and business associates of the importance of maintaining compliance with each element of the HIPAA Privacy and Security Rules, including having executed BAAs in effect and on file.
