$31,000 Settlement for No Business Associate Agreement
Even in the Trump era, HHS has not slowed its pursuit of monetary settlements for HIPAA violations. Recent settlements have included payments of $2,140,000 for allowing PHI to be publicly accessible on the internet; $2,200,000 for theft of unencrypted PHI stored on a pen drive, and $5,500,000 for disclosure of electronic PHI due to failure to control employee and customer access to the covered entity’s IT system.
With those settlement figures, it would be easy for a recent $31,000 settlement go unnoticed. But the settlement announced on April 20 between HHS and the Center for Children’s Digestive Health (“CCDH”) serves as a wake-up call for covered entities and business associates. The only violation by CCDH was that it sent paper medical records to its record storage vendor without a written business associate agreement. There is nothing in the settlement indicating that the PHI was otherwise improperly accessed or used.
The settlement serves as another reminder that HIPAA covered entities should identify all of their business associates and determine whether there is a current business associate agreement in place for each of them. Business associates need to take the same steps with respect to their own subcontractors. Failure to follow these basic HIPAA compliance procedures may not result in HHS pursuing you for a 7-figure settlement, but $31,000 is certainly more than a slap on the wrist.
UPDATE: While nothing in the settlement indicates that the information sent to the storage vendor was improperly accessed or used, there is a good chance that it was. CCDH’s record storage vendor was Filefax, Incorporated. A 2015 investigative news report indicated that Filefax was destroying old client medical records by discarding them in a dumpster instead of properly shredding them. It is likely that the HHS investigation of CCDH was related to an investigation of the news reports.