No Business Associate Agreement is Enough to Result in a $31,000 Settlement

On April 17, 2017, the Center for Children?ÇÖs Digestive Health in Illinois (?Ç£CCDH?Ç¥) entered into a resolution agreement with HHS pursuant to which CCDH agreed to pay $31,000 to settle potential HIPAA privacy rule violations. The primary basis for the settlement was the lack of a business associate agreement between CCDH and one of its business associates, which HHS determined demonstrated a lack of effective control and review of CCDH?ÇÖs HIPAA policies and procedures. FileFax, Inc. (?Ç£FileFax?Ç¥) is an Illinois record storage and disposal company. FileFax?ÇÖs clients included healthcare providers, such as CCDH. FileFax?ÇÖs services to those providers included the storage and disposal of medical records. A whistleblower led to a 2015 investigation of FileFax by the Illinois Attorney General. HHS then discovered that FileFax was discarding medical records in an unlocked dumpster adjacent to its building and had also shipped a large volume of other medical records to a third party for recycling. It is unclear if HHS investigated all healthcare providers doing business with FileFax, but HHS began a HIPAA compliance review of CCDH in late 2015 as a result of the FileFax investigation. During the CCDH investigation, HHS determined that FileFax was a business associate of CCDH and that?áCCDH had sent the medical records of more than 10,000 individuals containing protected health information for storage and disposal to FileFax over a 12-year period without entering into a business associate agreement or otherwise obtaining satisfactory assurances that FileFax was HIPAA compliant. View the?áResolution Agreement.