- The Center for Children’s Digestive Health (CCDH) recently settled potential HIPAA violations by not having a business associate agreement in place, and paid OCR $31,000.
The Illinois-based healthcare provider underwent an OCR compliance review in August 2015 after an investigation of a CCDH business associate, FileFax, Inc. Records containing PHI had been stored at FileFax, OCR said in a statement.
“While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015,” OCR explained.
Along with not having a business associate agreement in place, the OCR investigation found that the PHI of at least 10,728 individuals was disclosed to FileFax “when CCDH transferred the PHI to Filefax without obtaining Filefax's satisfactory assurance.”
CCDH must also enter into a corrective action plan where it will “develop, maintain, and revise, as necessary, its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information.”
These policies and procedures need to be distributed to all workforce members within 30 days of HHS approval, and then within 30 days of new staff members starting to begin services.
Workforce training is also an important aspect of the corrective action plan, OCR noted, and must include the following:
- All workforce members who have access to PHI have received such training
- These workforce members will continue to receive such training annually
- Each new CCDH workforce member with PHI access will receive such training within fifteen days of beginning work at CCDH
OCR also highlighted key areas that must be included in the business associate agreement.
Before PHI is disclosed to the business associate, one or more individuals must be designated to ensure that CCDH in fact enters into a business associate agreement. Furthermore, a standard template business associate agreement must be created.
“A process for assessing current and future business relationships to determine whether each relationship is with a ‘business associate; as that term is defined under the HIPAA Rules,” must also be created, according to OCR.
There must also be a process created “for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associate.” The agreements must also be documented for at least six years beyond when the relationship is terminated.
Finally, there must be a process to limit PHI disclosures to business associates, OCR maintained. Business associates must only be given PHI “that is reasonably necessary” for the organization to perform its duties.
Not having a proper business associate agreement in place can lead to heavy financial payments for organizations.
In March 2016, North Memorial Health Care of Minnesota agreed to a $1.55 million OCR HIPAA settlement for failing to identity its business associates. North Memorial failed to identify Accretive Health, Inc. as a business associate, according to OCR.
The business relationship between the two organizations allowed Accretive access to North Memorial’s databases containing PHI.
North Memorial filed a breach report in September 2011 when an unencrypted, password-protected laptop was stolen from an Accretive member’s locked vehicle. The report stated that the ePHI of 9,497 individuals was possibly impacted.
Along with failing to have a business associate agreement, OCR determined that North Memorial also did not “complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure.”
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said then OCR Director Jocelyn Samuels. “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”