The Department of Health and Human Services’ Office for Civil Rights has issued a $31,000 HIPAA penalty for a business associate agreement violation to The Center for Children’s Digestive Health (CCDH), a for-profit 7-center Illinois pediatric healthcare provider.
OCR discovered potential HIPAA violations during an investigation of the document storage solution provider FileFax. The investigation revealed that FileFax had obtained the protected health information of patients, yet could not produce a HIPAA-compliant business associate agreement. The findings of the investigation prompted OCR to conduct a HIPAA compliance review of CCDH on August 13, 2015.
OCR investigators asked CCDH to produce a signed copy of the business associate agreement it had obtained from FileFax prior to disclosing PHI; however, the document could not be produced. Further investigation revealed that CCDH had been working with FileFax since 2003. The first signed business associate agreement that could be produced by either FileFax or CCDH was dated October 2015, two months after the OCR HIPAA compliance review.
CCDH provided inactive documents containing patients’ PHI to FileFax to store them to meet federal and state documentation retention laws. Yet the absence of a signed business associate agreement meant no HIPAA-compliant, documented assurances had been received by CCDH that the information would be safeguarded in compliance with HIPAA Rules.
By providing those documents to FileFax to be stored, CCDH violated HIPAA Rules and potentially placed the PHI of 10,728 patients at risk.
FileFax had not officially agreed, through a business associate agreement, to ensure the documents were securely stored and had not confirmed that safeguards had been implemented to protect the confidentiality of PHI in the documents. Without a signed business associate agreement, CCDH had no official assurance that FileFax would not disclose any PHI to a third party and would not use any of the information contained in the documents. The provision of the documents to FileFax was therefore an impermissible disclosure.
The HIPAA penalty for a business associate agreement violation was only $31,000 in this instance; however, the penalty could have been considerably higher. The maximum HIPAA penalty for a business associate agreement violation is $1.5 million per calendar year that the violation persisted. The settlement should serve as a warning for all covered entities that violations of HIPAA Rules can prove costly.
OCR is increasingly penalizing healthcare organizations for the failure to comply with HIPAA Rules. This is the sixth HIPAA settlement to be announced this year, and with 8 months of the year to go, last year’s total of 12 settlements (and one CMP) is likely to be eclipsed.