Lack of BAA leads to fines
Lack of BAA leads to $31k HIPAA settlement
The Office for Civil Rights (OCR) recently announced that The Center for Children’s Digestive Health (CCDH) has paid a settlement of $31,000 to The Department of Health and Human Services (HHS) for potential violations of The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule.
In its statement, OCR revealed that it was undertaking a compliance review of CCDH following an investigation into one of its business associates, FileFax, Inc. which had been storing CCDH patient records containing protected health information (PHI) since 2003. Neither party was able to produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015, as required under the Privacy Rule.
In addition to not having a BAA in place, the OCR investigation found that the PHI of at least 10,728 individuals was disclosed to FileFax when “CCDH transferred the PHI to Filefax without obtaining Filefax’s satisfactory assurance.”
As well as a hefty settlement, CCDH have agreed to implement a corrective action plan where it will “develop, maintain, and revise its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information.”
OCR states that these policies and procedures require distribution to all of CCDH’s workforce members within 30 days of HHS approval, and then within 30 days of new staff members starting to begin services. It goes on to explain that sufficient workforce training is integral to the corrective action plan, and must include:
- Every workforce member who has access to PHI to receive this training
- These workforce members to continue to receive this training on an annual basis
- Each new workforce member with PHI access will receive this training within 15 days of starting work at CCDH
In its announcement, OCR highlighted the importance in “negotiating and entering into business associate agreements with business associates prior to disclosing PHI” explaining that there must also be a process that limits PHI disclosures to a level that “that is reasonably necessary” for a business associate to perform its duties.
This CCDH case should serve as a stark reminder for covered entities to ensure they have a signed business associate agreement in place with each of their business associates. Failure to comply can pave the way for significant financial and reputational damage.