Key Takeaway:

  • HIPAA requires that Covered Entities and their Business Associates enter into written business associate agreements to ensure that protected health information is appropriately safeguarded. Failure to produce such an agreement may suggest the impermissible disclosure of protected health information.

The Center for Children’s Digestive Health, S.C. (CCDH) has paid $31,000 and entered into a two-year corrective action plan with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

CCDH operates a pediatric subspecialty practice in seven clinic locations across Illinois. According to the Resolution Agreement, OCR initiated an investigation to determine whether CCDH’s disclosure of protected health information (PHI) to its third-party vendor, Filefax, Inc. (Filefax), was permissible under the HIPAA Privacy Rule. HIPAA requires that covered entities and their business associates enter into business associate agreements to ensure that the business associates will appropriately safeguard PHI and comply with HIPAA.

OCR’s review of CCDH’s practices arose out of its investigation of Filefax, a company that stored inactive paper medical records. The Filefax investigation was likely launched after news reports at the time revealed that medical records held by the company were found in a dumpster. CCDH had used Filefax to store its inactive paper medical records since 2003. Further investigation revealed that CCDH had disclosed the PHI of at least 10,728 individuals to Filefax without obtaining Filefax’s satisfactory assurances in the form of a written business associate agreement that it would safeguard the PHI in its possession or control.

In addition to the $31,000 payment, CCDH must revise its policies and procedures to include, among other things:

  • The designation of one or more individual(s) to ensure that CCDH enters into a written business associate agreement with each of its business associates;
  • The creation of a template business associate agreement; and
  • The implementation of a process to assess current and future business relationships to determine whether each is with a “business associate.”

CCDH must also produce training materials based on its new policies and procedures to train all of its staff members who have or will have access to PHI.

If you have any questions about this settlement or HIPAA compliance generally, please contact any member of Drinker Biddle’s Health Care Team or Information, Privacy, Security and Governance Team.

Download a PDF of the alert