[BreachExchange] Button up Your Business Associates Agreements or Pay the Price

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 11 20:13:11 EDT 2017


Last month, the Office of Civil Rights (OCR) of the U.S. Department of
Health and Human Services (HHS) announced a resolution agreement with the
Center for Children’s Digestive Health (CCDH) which included a $31,000

This isn’t the first time a covered entity has paid a “resolution amount”
to settle potential violations under the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) Privacy and Security Rules with respect
to a business associate agreement (or lack thereof).

March 2016: North Memorial Health Care of Minnesota  paid $1.55 million to
settle charges that it failed to enter into a business associate agreement
with a major contractor performing certain payment and health care
operations activities on its behalf and to complete a risk analysis.
April 2016: Raleigh Orthopaedic Clinic, P.A. of North Carolina  agreed to
pay $750,000 to settle charges that it potentially violated the HIPAA
Privacy Rule by handing over the protected health information of
approximately 17,300 patients without first executing a business associate
September 2016: Care New England Health System entered into a settlement
relating to the failure to timely amend an existing business associate
agreement for the HIPAA Omnibus Final Rule and paid $400,000.

However, unlike the other settlements in which the covered entity had
reported a breach, OCR was not investigating a breach involving the CCDH’s
protected health information.   It appears that the compliance review of
CCDH arose in connection with OCR’s investigation of FileFax, a file
storage company used by CCDH.  Instead of disposing a client’s unwanted
records in a secure manner, FileFax placed the records in an unlocked
outdoor dumpster.  During the investigation, OCR presumably identified the
existing relationship between FileFax and CCDH.  Although CCDH records
began utilizing FileFax in 2003, the only business associate agreement the
parties could produce was executed in 2015.

In addition to the $31,000 resolution amount (one of the smallest among
prior settlements), CCDH must perform certain obligations and make reports
to HHS for a period of two years.  During this period CCDH will be subject
to increased scrutiny by OCR.

The CCDH settlement is a timely reminder of the importance of a business
associate agreement even if no electronic protected health information is
involved and demonstrates OCR’s readiness to require a settlement
agreement, resolution amount and corrective action plan even in the absence
of any protected health information being made public.  With no sign of a
slowdown in OCR compliance and enforcement actions, plan administrators
should ensure that as they enter into arrangements with new service
providers for their group health plans no protected health information is
transferred until the business associate agreement (and not just the
service agreement) has been executed.  Plan administrators may also want to
confirm that they have the proper business associate agreement in place
with each existing business associate and that any prior business associate
agreements are retained for at least six years after the date last in
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170511/02fb95d5/attachment.html>

More information about the BreachExchange mailing list