HIPAA Horror Stories

The Zombie Strikes Again

one-minute read

When it comes to missing HIPAA Business Associate Agreements, investigators strike gold in defunct business client list

Remember last week’s HIPAA Horror Story? You know the one featuring a company that, despite being out-of-business, got hit with a $100,000 data breach violation penalty?

There’s more. As we demonstrate each week, where there’s a data breach, there’s probably a missing Business Associate Agreement.

Business Associate Agreements are low hanging fruit for HIPAA investigators

During the investigation of medical records service contractor FileFax, federal investigators access all the clients of the business. They correctly assumed one missing Business Associate Agreement would lead to more.

It’s just good investigative practice, right? After all, if you find one bad actor, all you have to do is query its other clients. That’s easy money for the feds.

Where one violation is found, many others are often nearby

Enter the tiny Center for Children’s Digestive Health (CCDH), an Illinois specialty pediatric practice operating seven locations throughout the state. Investigators discovered that CCDH was operating without a business associate agreement.

A Business Associate Agreement is a legal contract between a HIPAA (Health Insurance Portability and Accountability Act) Covered Entity and any business that provides a product or service with access to Protected Health Information (PHI).

Covered entities include health care providers, health insurance companies and health plans.

HIPAA rules require all covered entities and their business associates to execute a Business Associate Agreement or face stiff federal penalties.

Further investigation of CCDH exposed the fact that the health care provider had been working with FileFax since 2003, potentially exposing many thousands of private patient records to unauthorized eyes.

CCDH was forced to pay $31,000 in penalties to the Office for Civil Rights, the HIPAA investigative agency. In addition to the fine, management must comply with a costly Corrective Action Plan.

Your homework: whether you’re a covered entity or a business associate, make sure all of your HIPAA-covered relationships are protected by a valid Business Associate Agreement. Need help, we’re here for you.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free