Eric Fader was quoted in an April 25 article, “Health-Care Provider Pays $31K for Lack of Privacy Contract with Vendor,” in Bloomberg BNA’s Health Care Daily Report and other publications. The article reports that the Illinois-based Center for Children’s Digestive Health (CCDH) may have violated HIPAA when it failed to sign a business associate agreement with a vendor, FileFax, Inc., before transferring nearly 11,000 paper medical records to FileFax for storage.

Under a recent resolution agreement, CCDH agreed to pay the Department of Health and Human Services’ Office for Civil Rights (OCR) $31,000 and enter into a two-year corrective action plan. Eric told Bloomberg BNA that the $31,000 settlement appears small considering the severity of FileFax’s underlying offense, disposing of unneeded patient records in an unlocked outdoor dumpster rather than shredding them.

“This is a reminder from the OCR that a covered entity bears the ultimate responsibility when its business associate fails to comply with its HIPAA obligations,” Eric said. Signing a business associate agreement, ideally after both parties have actually read it, will help to educate any entity that still hasn’t figured out its responsibilities under HIPAA, he added.