Health-Care Provider Pays $31K for Lack of Privacy Contract With Vendor

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By James Swann

Health-care providers who don’t sign agreements with outside vendors to safeguard the privacy and security of personal health information can run afoul of the federal government.

The Illinois-based Center for Children’s Digestive Health may have violated the Health Insurance Portability and Accountability Act when it failed to sign a business associate agreement with FileFax Inc., a company that moves and stores hospital records, before transferring nearly 11,000 paper medical records to the vendor for storage, according to an April 21 resolution agreement with the Health and Human Services Office for Civil Rights.

The OCR settlement should be reviewed by all small providers and their legal counsel, because it can be difficult for them to stay on top of HIPAA’s business associate agreement requirement, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA April 24. CCDH, for example, has only eight professionals in the practice, Chestler said.

“Most times we see providers assuming they will be presented business associate agreements from the vendors who need to have these in place,” Chestler said.

CCDH, which provides pediatric health-care services at seven locations in Illinois, agreed to pay the HHS $31,000 and enter into a two-year corrective action plan.

Chestler said it’s unclear how the OCR became aware of the lack of a business associate agreement, because the resolution agreement doesn’t appear to be based upon a reportable event such as a breach.

Enforcement Action

The settlement highlights the OCR’s view that a failure to enter into a business associate agreement when required isn’t a minor, technical violation and can be the basis for enforcement action, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg BNA April 24.

Hirsch, a Bloomberg BNA advisory board member, said this issue was also a focus in the OCR’s 2016 settlements with Raleigh Orthopaedic Clinic and North Memorial Health Care of Minnesota.

Best Practices

Even if a provider has a signed business associate agreement, both the covered entity and the business associate need to implement a contract management system that will enable them to produce copies of the agreement when needed, Hirsch said. “If the parties cannot produce a signed BAA, the OCR is likely to assume that one doesn’t exist,” Hirsch said.

The $31,000 settlement appears small considering the underlying offense, which seems to be significantly worse than other business associate agreement-related settlements, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA April 24.

Care New England, for example, reached a $400,000 settlement in September 2016 over the lack of an updated business associate agreement.

“This is a reminder from the OCR that a covered entity bears the ultimate responsibility when its business associate fails to comply with its HIPAA obligations,” Fader said.

Signing a business associate agreement, ideally after both parties have actually read it, will help to educate any entity that still hasn’t figured out its responsibilities under HIPAA, Fader said.

Corrective Actions

The two-year corrective action plan includes extensive remediation actions that CCDH is expected to undertake in the next 60 days, and the provider appears to behind already, Chestler said.

“Their website has a notice of privacy practices dated 2003, which is a red flag that they have likely not kept up with current expectations,” Chestler said, also noting that the website incorrectly spelled HIPAA.

All notices should have been updated since 2013, Chestler said.

The corrective action plan also includes a section regarding the sale of assets and requires the provider to get approval from the HHS that any sale will appropriately safeguard protected health information, Chestler said.

Attorneys who are advising providers on asset sales should take note of this provision and ensure that HIPAA is a consideration in all future transactions, Chestler said.

Hirsch said the corrective action plan emphasizes the importance of making sure that someone in the organization, mainly the privacy officer, is evaluating each new business relationship to determine whether a business associate agreement is needed.

“There is still a surprising amount of confusion in the industry about which vendors are, and are not, business associates, particularly at the margins involving new digital health technologies,” Hirsch said.

To contact the reporter on this story: James Swann in Washington at

To contact the editor responsible for this story: Kendra Casey Plank at

For More Information

The settlement is at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Health Care on Bloomberg Law