Why you need a HIPAA-compliant business associate agreement

The recent announcement by The Department of Health and Human Services’ Office for Civil Rights (OCR) that it agreed to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) with The Center for Children’s Digestive Health (CCDH) should serve as a lesson to other healthcare organizations about the need to obtain signed, HIPAA-compliant business associate agreements with all vendors before disclosing any protected health information.

Last month, CCDH, a seven-center pediatric subspecialty practice based in Park Ridge, Illinois, agreed to pay OCR $31,000 to resolve potential HIPAA violations. CCDH also agreed to adopt a corrective action plan which includes updating policies and procedures, conducting staff training on said policies and procedures and ensuring one or more employees are made responsible for ensuring HIPAA-compliant business associate agreements obtained from all business associates.

According to the resolution agreement, on August 13, 2015, OCR conducted a HIPAA compliance review of CCDH following an investigation of FileFax Inc., which CCDH contracted with to store inactive patient records. The FileFax investigation revealed the company had not signed a business associate agreement before it was provided with patients’ protected health information.

FileFax, a Chicago record storage and disposal company, had previously been the target of an investigation and subsequent litigation, after medical files that included patient’s personal information, (i.e. drivers’ licenses, social security numbers and medical histories), were found in a nearby dumpster.

An investigation found that CCDH had disclosed the personal health information of at least 10,728 patients to Filefax without obtaining the company’s assurances, in the form of a written business associate agreement, that it would safeguard the information.

HIPAA requires that covered entities and their business associates enter into business associate agreements to ensure that the business associates will properly safeguard the information and comply with HIPAA. In addition, the business associate must be advised of the allowable uses and disclosures of the information and must agree not to use or disclose any personal health information unless required to do so under the terms of the contract, or if required to do so by law. Click here to read more about business associate contracts.

Having a compliance program in place is the first step in protecting yourself and your practice. The Health Law Offices of Anthony C. Vitale’s highly skilled team of experienced legal professionals can help you to create a HIPAA Privacy and Security compliance program designed to meet your unique needs. Give us a call at 305-358-4500 or send an email to info@vitalehealthlaw.com and let’s discuss how we might be able to assist you.