The U.S. Department of Health and Human Services (HHS) last week announced a settlement with the Center for Children’s Digestive Health (CCDH), a small pediatric digestive health practice, for providing protected health information (PHI) to a document storage company without requiring the storage company to execute a business associate agreement (BAA) as required under the HIPAA Privacy Rule.

The HHS Office for Civil Rights (OCR) initiated a compliance review of CCDH when an investigation relating to the improper disposal of patient records by the storage company, FileFax, Inc., revealed a relationship with CCDH. Instead of disposing of unneeded records containing PHI in a secure manner (for example, by shredding them), FileFax left the records in an unlocked outdoor dumpster. Although CCDH began disclosing PHI to FileFax for storage purposes in 2003, the parties could only produce a BAA executed on October 12, 2015.

The Resolution Agreement requires CCDH to pay a fine of $31,000 and implement a corrective action plan which will include a process for establishing whether a party is a business associate under HIPAA. While the amount of the settlement is relatively small, the case serves to underscore that all covered entities, regardless of size, will face consequences if they fail to obtain written assurances that a business associate will safeguard PHI.