Lack of a Written Business Associate Agreement with a Vendor and Careless Handling of HIV Information Result in Significant Settlements

Lack of a Business Association Agreement

On April 20, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a $31,000 settlement with the Center for Children’s Digestive Health, S.C. (CCDH) for CCDH’s failure to have a written business associate agreement (BAA) with Filefax, Incorporated (Filefax). CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. Filefax is a third-party vendor that stored inactive paper medical records for patients of CCDH. By failing to have a BAA with Filefax as required under the Health Insurance Portability and Accountability Act (HIPAA), CCDH thus impermissibly disclosed the protected health information (PHI) of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax.

On August 13, 2015, HHS initiated a compliance review of CCDH following an initiation of an investigation of Filefax. While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed BAA prior to October 12, 2015.

Unauthorized Disclosure of Sensitive Patient Information

On May 23, OCR announced a $387,200 settlement with St. Luke’s-Roosevelt Hospital Center Inc. (St. Luke’s). St. Luke’s operates the Institute for Advanced Medicine, formerly Spencer Cox Center for Health (Cox), which provides comprehensive health services to persons living with HIV or AIDS and other chronic diseases.

On September 12, 2014, OCR received a complaint against Cox alleging that on September 10, 2014, a staff member impermissibly disclosed the complainant’s PHI by faxing his medical records to his employer despite the complainant specifying that the records be sent to his home address. On March 11, 2015, HHS notified St. Luke’s that it was initiating an investigation regarding St. Luke’s compliance with the HIPAA rules. OCR’s investigation indicated that St. Luke’s impermissibly disclosed PHI of two identified patients when Cox staff members faxed one individual’s PHI to his workplace and the other individual’s PHI to an office at which he volunteered. Further, St. Luke’s failed to reasonably safeguard two identified patients’ PHI from any intentional or unintentional disclosure during faxing, resulting in an impermissible disclosure of both patients’ PHI against their expressed instructions. OCR remarked that “[g]iven the type of PHI involved, specifically information about HIV, AIDS, and mental health, the impermissible disclosures were egregious.”

The Corrective Action Plans

OCR entered into a Corrective Action Plan (CAP) with each of CCDH and St. Luke’s. The CAPs require CCDH and St. Luke’s to, among other actions, do the following:

• Review and revise, as necessary, its written policies and procedures concerning the uses and disclosures of PHI;
• Provide such policies and procedures to HHS for review and approval;
• Distribute such policies and procedures to all members of the workforce after HHS’ approval of such policies and procedures and to new members of the workforce within 30 days of their beginning of service;
• Obtain a signed compliance certification from all members of the workforce stating that the workforce members have read, understand and shall abide by such policies and procedures;
• Assess, update, and revise, as necessary, such policies and procedures as appropriate but at least annually (and more frequently if appropriate); and
• Review and revise, as necessary, its current training materials to include instructions on safeguarding PHI when providing individuals such information.

Main Takeaways

1. Prior to the start of a vendor relationship, a covered entity should have written BAAs in place with any and all business associates (persons or entities that create, receive, maintain, or transmit PHI or that provide legal, actuarial, accounting, consulting, and other services to you where the provision of the service involves the disclosure of PHI). Ensure the business associate agreements meet the requirements of HIPAA by covering all the required elements.
2. Implement, maintain and review written HIPAA policies and procedures that are reasonable and appropriate for your company.

Calfee stands ready to assist with a compliance review of your HIPAA practices, including your business associate agreements.