Skipping the HIPAA Business Associate Agreement Cost One Plan $31k


Risk Photo

The inability to produce a signed business agreement during a Department of Health and Human Services Office for Civil Rights compliance review cost the Center for Children’s Digestive Health $31,000.  

CCDH agreed to the monetary settlement and corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996, OCR announced April 20. 

CCDH had been disclosing protected health information to Filefax, who had been acting as a business  associate and storing records containing protected health information since 2003. During the course of the OCR compliance review, neither CCDH nor Filefax could produce a signed business associate agreement prior to Oct. 12, 2015. 

Under HIPAA, covered entities may only share PHI with business associates if they have a contract (business associate agreement) affirming the business associate will take appropriate steps to protect the PHI. 

A business associate is a person or entity that provides services or performs tasks on behalf of a covered entity that involve access to PHI. Business associates include third party administrators, subcontractors and cloud providers.

OCR found that CCDH had impermissibly disclosed the PHI of at least 10,728 individuals to Filefax during this time, because they had not obtained a business associate agreement stating Filefax would appropriately safeguard the PHI.

It’s just as important to maintain a business associate agreement as it is to have one.  In Sept. 2016, Care New England Health System was fined $400,000 for an out-of-date business associate agreement and its potential HIPAA violations. (See related story, Outdated HIPAA Agreement Costs Business Associate Big Bucks.

Gain a deeper understanding of the legal complexities of employee benefits and executive compensation with a free trial to Bloomberg Law: Benefits and Executive Compensation.