Compliance , HIPAA/HITECH , Privacy

Lack of BAA at Center of New HIPAA Settlement

Practice Worked with FileFax, a Vendor That's the Focus of Other Investigations
Lack of BAA at Center of New HIPAA Settlement

Federal regulators have signed a $31,000 HIPAA settlement with a small Illinois-based pediatric specialty practice, citing the lack of a business associate agreement with a vendor hired to store paper records containing patients' protected health information.

See Also: Ransomware: The Look at Future Trends

Although the April 21 settlement with the Center for Children's Digestive Health centers on paper-based PHI, the Department of Health and Human Services' Office for Civil Rights is sending another strong reminder to all covered entities and business associates about the importance of business associate agreements for vendor arrangements that involve the handling of any PHI, whether it be paper-based or electronic.

"Covered entities and business associates have an absolute obligation to have a business associate agreement in place with contractors and vendors who handle protected health information when performing an activity or function on their behalf," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.

"Take the time to review all your organization's vendor agreements. Identify each contract that requires the vendor to create or maintain PHI. If a BA agreement updated to current requirements of the HIPAA Rule is not in place, have a BAA executed at once. If your vendor refuses to sign a BAA, you have no choice but to cease disclosing PHI to the contractor, have any PHI in their possession returned or securely disposed, and find a new replacement service provider."

Case Details

In its resolution agreement with CCDH, which also includes a corrective action plan, OCR notes that HHS initiated in August 2015 a compliance review of CCDH to determine whether its disclosure of PHI to FileFax, Inc., a third-party vendor that stored inactive paper medical records for patients of CCDH, was permissible under the HIPAA Privacy Rule.

HHS says in a statement that it launched a compliance review of the CCDH following the initiation of an investigation into FileFax.

The agreement notes that HHS' investigation found that while Park Ridge, Illinois-based CCDH began disclosing PHI to FileFax in 2003, neither company was able to produce a signed BAA.

CCDH "failed to obtain satisfactory assurances from FileFax, in the form of a written business associate agreement, that FileFax would appropriately safeguard the PHI that was in FileFax's possession or control," HHS notes in the resolution agreement.

In addition, the agreement notes, "CCDH impermissibly disclosed the PHI of at least 10,728 individuals to FileFax when CCDH transferred the PHI to FileFax without obtaining FileFax's satisfactory assurances, in the form of a written business associate agreement."

Holtzman suspects, however, that the compliance review into CCDH is likely related to a serious incident involving FileFax in 2015.

Hundreds of pounds of paper medical records belonging to patients of Suburban Lung Associates, another Chicago-area healthcare provider, were discovered in a dumpster outside the Northbrook, Ill., building of FileFax (see Dumped Records Case Illustrates BA Risks).

Suburban Lung Associates had hired FileFax to retain and then properly destroy its patient documents.

Holtzman suspects regulators' investigation into that incident involving FileFax potentially uncovered the lack of a business associate agreement between the records storage vendor and CCDH.

James Berman, M.D., president of CCDH, declined to comment on FileFax or what specifically spurred the OCR compliance review of CCDH. But he tells Information Security Media Group: "There was no breach of CCDH records being exposed to the public."

In a statement, OCR tells ISMG, "the focus of this resolution agreement is the lack of a business associate agreement by CCDH and FileFax, which CCDH should have obtained prior to disclosing any PHI to FileFax. The compliance review was initiated following a news report involving FileFax. This is not OCR's first settlement that resulted from a compliance review that was initiated following a news report. With respect to FileFax, as a matter of policy, the OCR does not release information about current or potential investigations."

State Lawsuit Against FileFax

Illinois attorney general Lisa Madigan in May 2015 filed a lawsuit against FileFax related to the dumpster incident, alleging violations of the state's Personal Information Protection Act, which ensures consumers' personal information is protected in Illinois, and the state's Consumer Fraud and Deceptive Business Practices Act.

However, the Illinois attorney general's office tells ISMG that its suit against FileFax was settled. An October 2015 consent decree between the attorney general and FileFax indicates the company paid $30,000 to settle its case, and agreed to a corrective action plan that included steps it would take to safeguard patient records if it stayed in business, as well as steps it would take to protect those records if FileFax decides to closed down its business.

ISMG attempted to contact FileFax for comment, but its publicly published phone number has been disconnected. Sources say the company is out of business.

Corrective Action Plan

OCR's resolution agreement with CCDH requires that the practice take several steps, including:

  • Developing, maintaining and revising its HIPAA privacy and security rule related policies and practices - including matters pertaining to business associate agreements;
  • Distributing its updated HIPAA related policies and procedures - including those related to business associates - to its workforce;
  • Providing its workforce with training related to those policies and procedures.

Common Problem?

Not having business associate agreements "is a big deal now," notes privacy attorney Kirk Nahra of the law firm Wiley Rein.

"Every covered entity needs to make sure it has these agreements in place and should know that if they don't - and something happens involving the BA - that there will be consequences," he says. "OCR won't let these slide without a really good explanation."

After a lack of risk analysis and lack of encryption, the lack of a business associate agreement appears to be one of the most common reasons for OCR settlement agreements, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

"While some question the continued need for business associate agreements after the HITECH Act made business associates directly subject to portions of HIPAA, OCR clearly continues to believe that entering into a business associate agreement is an essential part of HIPAA compliance."

Other Settlements

Indeed, this isn't the first OCR HIPAA settlement focusing on inadequate or missing business associate agreements between a covered entity and a business associate.

Last September, for example, OCR signed a $400,000 settlement with Care New England, an organization that provides centralized corporate support services for a number of New England-area covered entities, citing the lack of an updated business associate agreement (see Outdated BA Agreement Results in $400,000 HIPAA Settlement).

But OCR's $31,000 resolution agreement with CCDH contains one of the HIPAA enforcer's smallest financial settlements to date.

The smallest OCR financial settlement to date was a $25,000 resolution agreement signed in February 2016 with Los Angeles-based physical therapy provider, Complete P.T., Pool & Land Physical Therapy Inc. That HIPAA case involved the company failing to obtain patients' permission before using their personal information for marketing purposes (see Case Shines Spotlight on HIPAA Marketing Rules).

Overall, the case with CCDH is also a reminder that no healthcare provider is exempt from HIPAA compliance, Holtzman says. "Although small in size, this settlement will get the attention of healthcare providers," he says.

"This is an opportunity for OCR to remind small physician practices that nobody gets a pass when it comes to safeguarding PHI from unauthorized disclosure. They will be held accountable for safeguarding patient information to the same standards of a large health care organization."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network