[BreachExchange] Small Healthcare Provider Pays $31, 000 for Failing to Have a Business Associate Agreement With File Storage Vendor

[Audrey McNeil]

http://www.jdsupra.com/legalnews/small-healthcare-
provider-pays-31-000-44744/

Disclosing protected health information (PHI) to a business associate
without a compliant business associate agreement (BAA) is an improper
disclosure under the HIPAA privacy and security regulations. According to
the HHS Office for Civil Rights (OCR), an error like that can cost a small
healthcare provider $31,000.

OCR recently announced a resolution agreement (pdf) with the Center for
Children’s Digestive Health, S.C. (CCDH), a “small, for-profit health care
provider with a pediatric subspecialty practice that operates its practice
in seven clinic locations in Illinois.” According to the resolution
agreement, OCR apparently learned of the missing BAA while investigating
CCDH’s file storage vendor, FileFax, Inc., which stored CCDH’s PHI.
Responsible for enforcing the privacy and security rules under HIPAA, OCR
then commenced a compliance review of CCDH. It reported finding that
neither CCDH nor FileFax could produce a signed BAA applicable to periods
that CCDH had shared PHI with FileFax.  Without an admission of liability,
CCDH agreed to resolve the matter by paying $31,000 and agreeing to comply
with a comprehensive Corrective Action Plan (CAP).

The Health Information Technology for Economic and Clinical Health (HITECH)
Act made a number of changes to HIPAA, including to the rules concerning
“business associates.” Among those changes were updates to BAAs that the
HIPAA rules require covered entities to maintain with their business
associates. A covered entity’s business associates include third-party
service providers, such as: claims administrators, accounting firms, law
firms, consultants, cloud and other data storage providers.

The regulations make clear that even though business associates are
directly subject to many of the HIPAA privacy and security requirements,
BAAs remain necessary for compliance. A starting point for BAA compliance
is the set of sample provisions posted by the OCR. However, there are other
issues that parties to a BAA will want to address, such as: specificity
concerning the safeguards that should be in place, data breach coordination
and response, indemnity, cybersecurity insurance, and agency status. More
information about business associates and BAAs can be accessed here.

Covered entities also should remember that the HIPAA regulations are not
the only rules that require written assurances from third-party service
providers concerning security of personal information. A number of state
laws (e.g., California, Massachusetts, Maryland, New Mexico, New York,
Oregon) require businesses to have contracts with third-party service
providers to safeguard personal information. Of course, even in the absence
of a federal or state law, taking steps to ensure vendors secure the
confidential information they are provided, such as through a detailed data
security agreement, is a prudent practice.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170427/042768fa/attachment.html>