HIPAA Settlement Underscores Need to Have Signed BA Agreements in Place

Regulation | April 25, 2017 | by

Although the case described below does not involve an aging services organization, it nevertheless underscores the need for all covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to ensure that they enter into signed Business Associate Agreements (BAAs) with all vendors that handle protected health information (PHI).

The Center for Children's Digestive Health (CCDH) has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the HIPAA Privacy Rule and agreed to implement a corrective action plan. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.

In August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of CCDH following the initiation of an investigation of a business associate, FileFax, Inc., which stored records containing PHI for CCDH. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed BAA prior to Oct. 12, 2015. Additionally, neither party could produce a signed BAA prior to Oct. 2015.

OCR has made available additional information on BAAs.