2017 has been a year of unprecedented HIPAA settlements–and this $31,000 fine is no exception.
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on April 20, 2017 that it reached this major $31,000 settlement with The Center for Children’s Digestive Health (CCDH). CCDH is based out of Park Ridge, Illinois.
HIPAA investigations can come as a surprise to some organizations, but that especially holds true for CCDH. Unlike many cases, CCDH was not even responsible for a data breach–its record storage provider was. This is the ultimate warning for health care providers and behavioral health specialists, especially, about the risk that your practice faces from outside vendors.
Getting Fined for your Vendors’ Mistakes…
When it comes to HIPAA compliance, any vendor that handles protected health information (PHI) is considered a business associate (BA). PHI is any information that can be used to identify a patient–this includes demographic information such as names, addresses, dates of birth, social security numbers, financial information, insurance information, health records, or full facial photos, to name a few examples.
Because FileFax was hired to stored CCDH’s medical records, it is necessarily considered a BA under HIPAA regulation. BAs are any organization contracted by a health care provider that handles PHI over the course of the work they’ve been hired to do. Common examples include cloud storage providers, telehealth video conferencing, physical storage providers, IT services, medical billing firms, and EHR platforms. This list is by no means exhaustive, and it bears repeating that any vendor with whom you share PHI must be HIPAA compliant.
Before sharing PHI with a business associate, you must execute a Business Associate Agreement (BAA). BAAs should be included in any effective HIPAA compliance program. These are contracts that protect your organization from liability in the event of a data breach caused by your BA–and this is exactly what lead to CCDH’s massive fine.
So What Caused the $31,000 HIPAA Settlement?
HIPAA auditors did a review of all the companies that FileFax did business with over the course of the HIPAA investigation. OCR only found one BAA executed between CCDH and FileFax, which was dated October of 2015, even though the two companies had been doing business since 2003.
The fact that CCDH had been sharing PHI unlawfully without a BAA lead OCR to hand down the $31,000 fine.
More than anything, this settlement illustrates the risk that all health care providers face from their vendors. If you’re doing business with a vendor that handles PHI and you haven’t executed a BAA, you’re putting your practice at risk in the event of a HIPAA investigation or data breach.