The Center for Children’s Digestive Health (CCDH) signed over a $31,000 check to the Department of Health and Human Services (HHS) to settle HIPAA violations. CCDH freely provided nearly 11,000 records containing protected health information (PHI) to the company FileFax, Inc. for long-term storage. The issue is not that CCDH transferred the records but that they failed to obtain assurances that FileFax would safeguard the PHI before handing it over. FileFax did not sign a business associate agreement (BAA) and CCDH paid the price.

CCDH is a pediatric practice that runs seven clinics in Illinois. CCDH contracted with FileFax in 2003 to start storing their patient records off-site, but neither business could provide a copy of a signed BAA from before Oct. 12, 2015.

The investigation originated with the business associate (BA), not the healthcare practitioner. The Illinois State Attorney General (AG) began investigating FileFax after learning of the company’s improper PHI disposal practices. The AG learned of the improper disposal practices after an entrepreneurial spirit retrieved over 1,100 pounds of paper patient records from an unlocked dumpster at a FileFax facility. The woman who found the records gave them to a shredding company in hopes of obtaining money for the recycled paper. The shredding company recognized that the documents contained PHI and notified the AG. HHS began compliance reviews of all the healthcare practices contracting with FileFax, including CCDH.

A business covered by HIPAA is free to contract with a BA to perform functions on their behalf or to provide services to them. Unlike CCDH, the business must first obtain assurances that the BA will safeguard health information. This concept is encapsulated in the business associate agreement, or the BAA. The BAA is just a formal way to make a BA agree to comply with HIPAA privacy and security rules.

Businesses covered by HIPAA need to have a policy in place that directs them to scrutinize their business relationships. Businesses covered by HIPAA should ask two questions to determine whether a person or entity they contract with is their business associate:

  1. Does the person or entity create, receive, maintain or transmit PHI on behalf of the business; or
  2. Does the person or entity provide services to the business that involve the disclosure of PHI?

You must use a BAA if the answer to either of these questions is yes. A BA has an obligation to conduct this same analysis with their sub-contractors. This analysis is not necessary with employees of the business.

The rules have a broad interpretation of ‘disclosure’ that encompasses many service providers. Besides the release or transfer of PHI, disclosure also means “the provision of access to” PHI. In other words, if a person or entity providing services to a healthcare practice has access to files or computers with PHI as part of the services they provide, they may be a BA—even if they don’t look at or use the PHI. Common examples of this include entities providing accounting, legal, or IT services to HIPAA covered businesses.

If in doubt, use a BAA. It is just as important that you don’t neglect to execute a BAA when one is undoubtedly needed, like CCDH. HHS provides a sample BAA here. This is a good starting point but don’t simply adopt sample forms. Make sure you tailor whatever agreement you use to reflect your actual practices. If still in doubt, obtain legal counsel.

The Resolution Agreement and Corrective Action Plan between CCDH and HHS can be found here.