Last month, the Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS) announced a resolution agreement with the Center for Children’s Digestive Health (CCDH) which included a $31,000 penalty.
This isn’t the first time a covered entity has paid a “resolution amount” to settle potential violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules with respect to a business associate agreement (or lack thereof).
- March 2016: North Memorial Health Care of Minnesota paid $1.55 million to settle charges that it failed to enter into a business associate agreement with a major contractor performing certain payment and health care operations activities on its behalf and to complete a risk analysis.
- April 2016: Raleigh Orthopaedic Clinic, P.A. of North Carolina agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over the protected health information of approximately 17,300 patients without first executing a business associate agreement.
- September 2016: Care New England Health System entered into a settlement relating to the failure to timely amend an existing business associate agreement for the HIPAA Omnibus Final Rule and paid $400,000.
However, unlike the other settlements in which the covered entity had reported a breach, OCR was not investigating a breach involving the CCDH’s protected health information. It appears that the compliance review of CCDH arose in connection with OCR’s investigation of FileFax, a file storage company used by CCDH. Instead of disposing a client’s unwanted records in a secure manner, FileFax placed the records in an unlocked outdoor dumpster. During the investigation, OCR presumably identified the existing relationship between FileFax and CCDH. Although CCDH records began utilizing FileFax in 2003, the only business associate agreement the parties could produce was executed in 2015.
In addition to the $31,000 resolution amount (one of the smallest among prior settlements), CCDH must perform certain obligations and make reports to HHS for a period of two years. During this period CCDH will be subject to increased scrutiny by OCR.
The CCDH settlement is a timely reminder of the importance of a business associate agreement even if no electronic protected health information is involved and demonstrates OCR’s readiness to require a settlement agreement, resolution amount and corrective action plan even in the absence of any protected health information being made public. With no sign of a slowdown in OCR compliance and enforcement actions, plan administrators should ensure that as they enter into arrangements with new service providers for their group health plans no protected health information is transferred until the business associate agreement (and not just the service agreement) has been executed. Plan administrators may also want to confirm that they have the proper business associate agreement in place with each existing business associate and that any prior business associate agreements are retained for at least six years after the date last in effect.