The OCR recently revealed it has agreed to settle potential breaches of the Health Insurance Portability and Accountability Act with The Center for Children’s Digestive Health (CCDH); a small 7-center pediatric subspecialty practice located in Park Ridge, Illinois.
On August 13, 2015, OCR completed a HIPAA compliance review of CCDH following an audit of FileFax Inc., which was contracted by CCDH to store inactive patient histories and details. The FileFax investigation showed the company had not completed a business associate agreement before being supplied with patients’ PHI.
The following compliance review of CCDH similarly showed that no signed business associate agreement was in place. CCDH had therefore impermissibly supplied patients’ PHI to FileFax in violation of HIPAA Rules.
CCDH had given paper records relating to 10,728 patients without officially warning FileFax, by means of a BAA, of the firm’s responsibilities to secure patients’ data. CCDH also received no HIPAA-compliant assurances that appropriate security measures had been put in place to ensure the confidentiality, integrity, and availability of PHI prior to the disclosure.
FileFax had been holding documents storing the PHI of patients of CCDH since 2003, yet the earliest business associate agreement produced by CCDH and FileFax was dated October 12, 2015.
CCDH has agreed to pay OCR $31,000 to settle the potential HIPAA violations and will implement a corrective action plan that includes updating policies and procedures, completing staff training on those policies and procedures and ensuring one or more members of staff are made responsible for making sure HIPAA-compliant business associate agreements are received from all business associates.
HIPAA-covered organizations are allowed to disclose the PHI of patients to their business partner; however, before any PHI is released, the covered organization must enter into a contract with the business associate. The contract must explain the duties the business associate has to make sure PHI is secured and safeguards are in place to stop unauthorized disclosures. The business associate must also be warned of the allowable uses and disclosures of PHI and must agree not to use or release any PHI unless required to do so under the terms of the contract or if obliged to do so by law.
The business associate must also be told of the requirement to warn the covered organization should any PHI is accidentally or deliberately accessed or disclosed along with the timescale for doing so. The business associate must also be aware that the failure to comply with HIPAA Rules can result in massive financial penalties being issued.