2017 has been a year of unprecedented HIPAA settlements–and this $31,000 fine is no exception.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on April 20, 2017 that it reached this major $31,000 settlement with The Center for Children’s Digestive Health (CCDH). CCDH is based out of Park Ridge, Illinois.
HIPAA investigations can come as a surprise to some organizations, but that especially holds true for CCDH. Unlike many cases, CCDH was not even responsible for a data breach–its record storage provider was. This is the ultimate warning for health care providers and behavioral health specialists, especially, about the risk that your practice faces from outside vendors.
Getting Fined for your Vendors’ Mistakes…
When it comes to HIPAA compliance, any vendor that handles protected health information (PHI) is considered a business associate (BA). PHI is any information that can be used to identify a patient–this includes demographic information such as names, addresses, dates of birth, social security numbers, financial information, insurance information, health records, or full facial photos, to name a few examples.
Because FileFax was hired to stored CCDH’s medical records, it is necessarily considered a BA under HIPAA regulation. BAs are any organization contracted by a health care provider that handles PHI over the course of the work they’ve been hired to do. Common examples include cloud storage providers, telehealth video conferencing, physical storage providers, IT services, medical billing firms, and EHR platforms. This list is by no means exhaustive, and it bears repeating that any vendor with whom you share PHI must be HIPAA compliant.
Before sharing PHI with a business associate, you must execute a Business Associate Agreement (BAA). BAAs should be included in any effective HIPAA compliance program. These are contracts that protect your organization from liability in the event of a data breach caused by your BA–and this is exactly what lead to CCDH’s massive fine.
So What Caused the $31,000 HIPAA Fine?
HIPAA auditors did a review of all the companies that FileFax did business with over the course of the HIPAA investigation. OCR only found one BAA executed between CCDH and FileFax, which was dated October of 2015, even though the two companies had been doing business since 2003.
The fact that CCDH had been sharing PHI unlawfully without a BAA lead OCR to hand down the $31,000 fine.
More than anything, this settlement illustrates the risk that all health care providers face from their vendors. If you’re doing business with a vendor that handles PHI and you haven’t executed a BAA, you’re putting your practice at risk in the event of a HIPAA investigation or data breach.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation, including fully automated documentation of policies, procedures, employee training, and remediation plans. The Guard includes policies and procedures that are uniquely tailored to the needs of your organization so you’ll never have to worry about the headaches that come with generic policy binders again.
With The Guard, behavioral health professionals can focus on running their practice while keeping their patients’ data protected and secure.
For more information about what you can do to protect your behavioral health practice, see these upcoming HIPAA educational webinars.
Find out more about how Compliancy Group and the HIPAA Seal of Compliance can help simplify your HIPAA compliance today!
Disclaimer: The views and opinions expressed in the article and on this blog post are those of the authors. These do not necessarily reflect the views, opinions, and position of the Telebehavioral Health Institute (TBHI). Any content written by the authors are their opinion and are not intended to malign any organization, company or individuals.