Do Health-Care Companies Really Need Privacy Agreements with Vendors?


Privacy and security concerns are all over the airwaves these days, involving everything from stolen credit cards to improper disclosure of medical test results. Yet even with all of the attention, some health-care providers are still failing to lock down their patient data by signing business associate agreements (BAAs) with outside vendors, as witnessed by a recent Health and Human Services Office for Civil Rights settlement.

Under the resolution agreement, the Illinois-based Center for Children's Digestive Health (CCDH) agreed to pay $31,000 for potential violations of the Health Insurance Portability and Accountability Act. The pediatric provider failed to sign a BAA with FileFax Inc., a company that moves and stores hospital records, before transferring nearly 11,000 paper medical records to the vendor for storage.

The settlement should be a warning sign to all small health-care providers and their legal counsel of the need for a signed BAA, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told me. CCDH, for example, has only eight professionals in the practice.

“Most times we see providers assuming they will be presented business associate agreements from the vendors who need to have these in place,” Chestler said.

CCDH also entered into a two-year corrective action plan, and Chestler said the provider may already be behind in making the required changes. “Their website has a notice of privacy practices dated 2003, which is a red flag that they have likely not kept up with current expectations,” Chestler said, also noting that the website incorrectly spelled HIPAA.

You can read my full story here.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.