HIPAA Settlement, HIPAA

$31,000 Business Associate HIPAA Settlement Hits Small Practice


July 7, 2017 | Reading Time: 2 Minutes

Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. How

2017 has been a year of unprecedented HIPAA settlements–and this $31,000 fine is no exception.

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on April 20, 2017 that it reached this major $31,000 settlement with The Center for Children’s Digestive Health (CCDH). CCDH is based out of Park Ridge, Illinois.

HIPAA investigations can come as a surprise to some organizations, but that especially holds true for CCDH. Unlike many cases, CCDH was not even responsible for a data breach–its record storage provider was. This is the ultimate warning for health care providers and behavioral health specialists, especially, about the risk that your practice faces from outside vendors.

Getting Fined for your Vendors’ Mistakes…

When it comes to HIPAA compliance, any vendor that handles protected health information (PHI) is considered a business associate (BA). PHI is any information that can be used to identify a patient–this includes demographic information such as names, addresses, dates of birth, social security numbers, financial information, insurance information, health records, or full facial photos, to name a few examples.

Because FileFax was hired to stored CCDH’s medical records, it is necessarily considered a BA under HIPAA regulation. BAs are any organization contracted by a health care provider that handles PHI over the course of the work they’ve been hired to do. Common examples include cloud storage providers, telehealth video conferencing, physical storage providers, IT services, medical billing firms, and EHR platforms. This list is by no means exhaustive, and it bears repeating that any vendor with whom you share PHI must be HIPAA compliant.

Before sharing PHI with a business associate, you must execute a Business Associate Agreement (BAA). BAAs should be included in any effective HIPAA compliance program. These are contracts that protect your organization from liability in the event of a data breach caused by your BA–and this is exactly what lead to CCDH’s massive fine.

So What Caused the $31,000 HIPAA Settlement?

HIPAA auditors did a review of all the companies that FileFax did business with over the course of the HIPAA investigation. OCR only found one BAA executed between CCDH and FileFax, which was dated October of 2015, even though the two companies had been doing business since 2003.

The fact that CCDH had been sharing PHI unlawfully without a BAA lead OCR to hand down the $31,000 fine.

More than anything, this settlement illustrates the risk that all health care providers face from their vendors. If you’re doing business with a vendor that handles PHI and you haven’t executed a BAA, you’re putting your practice at risk in the event of a HIPAA investigation or data breach.

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. Some of Telehealth.org’s blog content is generated with the assistance of ChatGPT. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

Please share your thoughts in the comment box below.

Notify of
Inline Feedbacks
View all comments

Register for Free

Receive Any of Our 57 FREE Newsletters!


Most Popular Topics

You May Also Like…

ChatGPT HIPAA Considerations
ChatGPT HIPAA Considerations

ChatGPT HIPAA compliance is one of the hottest topics at 2023 conferences and with good reason. AI...