When it comes to missing HIPAA Business Associate Agreements, investigators strike gold in defunct business client list
Remember last week’s HIPAA Horror Story? You know the one featuring a company that, despite being out-of-business, got hit with a $100,000 data breach violation penalty?
There’s more. As we demonstrate each week, where there’s a data breach, there’s probably a missing Business Associate Agreement.
Business Associate Agreements are low hanging fruit for HIPAA investigators
During the investigation of medical records service contractor FileFax, federal investigators access all the clients of the business. They correctly assumed one missing Business Associate Agreement would lead to more.
It’s just good investigative practice, right? After all, if you find one bad actor, all you have to do is query its other clients. That’s easy money for the feds.
Where one violation is found, many others are often nearby
Enter the tiny Center for Children’s Digestive Health (CCDH), an Illinois specialty pediatric practice operating seven locations throughout the state. Investigators discovered that CCDH was operating without a business associate agreement.
A Business Associate Agreement is a legal contract between a HIPAA (Health Insurance Portability and Accountability Act) Covered Entity and any business that provides a product or service with access to Protected Health Information (PHI).
Covered entities include health care providers, health insurance companies and health plans.
HIPAA rules require all covered entities and their business associates to execute a Business Associate Agreement or face stiff federal penalties.
Further investigation of CCDH exposed the fact that the health care provider had been working with FileFax since 2003, potentially exposing many thousands of private patient records to unauthorized eyes.
CCDH was forced to pay $31,000 in penalties to the Office for Civil Rights, the HIPAA investigative agency. In addition to the fine, management must comply with a costly Corrective Action Plan.
Your homework: whether you’re a covered entity or a business associate, make sure all of your HIPAA-covered relationships are protected by a valid Business Associate Agreement. Need help, we’re here for you.