Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
Health-care providers who don’t sign agreements with outside vendors to safeguard the privacy and security of personal health information can run afoul of the federal government.
The Illinois-based Center for Children’s Digestive Health may have violated the Health Insurance Portability and Accountability Act when it failed to sign a business associate agreement with FileFax Inc., a company that moves and stores hospital records, before transferring nearly 11,000 paper medical records to the vendor for storage, according to an April 21 resolution agreement with the Health and Human Services Office for Civil Rights.
The OCR settlement should be reviewed by all small providers and their legal counsel, because it can be difficult for them to stay on top of HIPAA’s business associate agreement requirement, Alisa Chestler, a health-care attorney with Baker, Donelson, Bearman, Caldwell & Berkowitz in Nashville, Tenn., told Bloomberg BNA April 24. CCDH, for example, has only eight professionals in the practice, Chestler said.
“Most times we see providers assuming they will be presented business associate agreements from the vendors who need to have these in place,” Chestler said.
CCDH, which provides pediatric health-care services at seven locations in Illinois, agreed to pay the HHS $31,000 and enter into a two-year corrective action plan.
Chestler said it’s unclear how the OCR became aware of the lack of a business associate agreement, because the resolution agreement doesn’t appear to be based upon a reportable event such as a breach.
The settlement highlights the OCR’s view that a failure to enter into a business associate agreement when required isn’t a minor, technical violation and can be the basis for enforcement action, W. Reece Hirsch, a health-care attorney with Morgan, Lewis & Bockius LLP in San Francisco, told Bloomberg BNA April 24.
Hirsch, a Bloomberg BNA advisory board member, said this issue was also a focus in the OCR’s 2016 settlements with Raleigh Orthopaedic Clinic and North Memorial Health Care of Minnesota.
Even if a provider has a signed business associate agreement, both the covered entity and the business associate need to implement a contract management system that will enable them to produce copies of the agreement when needed, Hirsch said. “If the parties cannot produce a signed BAA, the OCR is likely to assume that one doesn’t exist,” Hirsch said.
The $31,000 settlement appears small considering the underlying offense, which seems to be significantly worse than other business associate agreement-related settlements, Eric Fader, a health-care attorney with Day Pitney LLP in New York, told Bloomberg BNA April 24.
Care New England, for example, reached a $400,000 settlement in September 2016 over the lack of an updated business associate agreement.
“This is a reminder from the OCR that a covered entity bears the ultimate responsibility when its business associate fails to comply with its HIPAA obligations,” Fader said.
Signing a business associate agreement, ideally after both parties have actually read it, will help to educate any entity that still hasn’t figured out its responsibilities under HIPAA, Fader said.
The two-year corrective action plan includes extensive remediation actions that CCDH is expected to undertake in the next 60 days, and the provider appears to behind already, Chestler said.
“Their website has a notice of privacy practices dated 2003, which is a red flag that they have likely not kept up with current expectations,” Chestler said, also noting that the website incorrectly spelled HIPAA.
All notices should have been updated since 2013, Chestler said.
The corrective action plan also includes a section regarding the sale of assets and requires the provider to get approval from the HHS that any sale will appropriately safeguard protected health information, Chestler said.
Attorneys who are advising providers on asset sales should take note of this provision and ensure that HIPAA is a consideration in all future transactions, Chestler said.
Hirsch said the corrective action plan emphasizes the importance of making sure that someone in the organization, mainly the privacy officer, is evaluating each new business relationship to determine whether a business associate agreement is needed.
“There is still a surprising amount of confusion in the industry about which vendors are, and are not, business associates, particularly at the margins involving new digital health technologies,” Hirsch said.
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Kendra Casey Plank at email@example.com
The settlement is at http://src.bna.com/ocC.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)