The Absence of a Business Associates Agreement Can Be Costly
May 04, 2017
“For the want of a nail the shoe was lost,
For the want of a shoe the horse was lost,
For the want of a horse the rider was lost,
For the want of a rider the battle was lost,
For the want of a battle the kingdom was lost,
And all for the want of a horseshoe-nail.”-Benjamin Franklin
In 2015, hundreds of files containing complete medical records were found, having allegedly been discarded in an unlocked garbage dumpster outside of Northbrook IL office of FileFax, Inc. (“FileFax”). Although none of the records discovered in the dumpster belonged to the Center for Children’s Digestive Health (“Children’s Center”), it ultimately led to Children’s Health paying thousands of dollars to settle claims of potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
FileFax was in the business of storing records containing protected health information (PHI) for medical providers. During the investigation of FileFax related to the records found in the dumpster behind the FileFax office, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) also initiated an investigation of Children’s Health, who they found had utilized the services of FileFax.
Although it does not appear that FileFax had improperly stored any of the records from Children’s Health, neither FileFax nor Children’s Health could produce a signed Business Associates Agreement in effect prior to the investigation. As a result, OCR alleged that Children’s Health’s submission of over 10,000 records to be kept by FileFax was a violation of HIPAA Privacy Rules. As a result, Children’s Health agreed to pay HHS $31,000 to settle the claim, and to implement a Corrective Action Plan.
Not unlike thousands of other medical providers who may not have all the Business Associates Agreement in place, Children’s Health probably trusted that FileFax would protect their records without it. Further, despite the alleged discovery of records from another facility in FileFax’s dumpster, there does not appear to be any evidence that FileFax failed to protect the records of Children’s Health. However, because neither could produce an executed copy of a Business Associates Agreement, OCR alleged that Children’s Health had failed to fulfill its responsibility to protect patient information as required by HIPAA.
Fortunately, for the children they serve, Children’s Health will not lose the kingdom because of this oversight. However, for the want of a nail, Children’s Health lost $31,000, entered into an expense Corrective Action Plan, and incurred negative press that is likely to damage their reputation in the community. Still, it could have been much worse, as HIPAA violations have resulted in multi-million dollar settlements.
Business Associates Agreements are just one of many often-overlooked requirements of health care regulations. Busy physicians and overworked staff are often unable to adequately monitor their compliance with the ever-increasing regulations. Don’t risk your practice and your reputation by overlooking some seemingly small detail. Let Leitner, Williams, Dooley & Napolitan, PLLC review your practices and records, to ensure that your practice is adequately protecting the private information of your patients. Contact Dennis Sadler at (901) 527-0214 or dennis.sadler@leitnerfirm.com.