Failure to obtain BAA costs clinic group $31,000

April 28, 2017
Medicare Web

The Center for Children’s Digestive Health (CCDH), an Illinois clinic group, dished out $31,000 in a HIPAA settlement with HHS due to a lack of a business associate agreement (BAA) with a vendor, the Office for Civil Rights (OCR) announced April 20.

The CCDH, a for-profit provider with a pediatric subspecialty practice in seven clinics, began working with Filefax, Inc., a third-party vendor, in 2003. Filefax stored inactive paper records containing protected health information (PHI) for CCDH, making Filefax a business associate (BA) under HIPAA, according to the resolution agreement and corrective action plan (CAP).

OCR launched an investigation into Filefax in 2015, which led the agency to open a compliance review of CCDH. OCR’s investigators discovered that neither CCDH or Filefax could produce a signed BAA dated before October 2015. The investigators concluded that from 2003 to 2015, CCDH impermissibly disclosed the PHI of at least 10,728 individuals to Filefax.

CCDH agreed to a CAP along with the monetary settlement. CCDH must develop and revise HIPAA compliance policies and procedures, submit them to OCR for approval, and train staff on the updated policies and procedures, according to the terms of the CAP.

Related Topics: 
HIPAA