Provided by: Jennifer Kirschenbaum, Esq.
October 10, 2017
On April 20, 2017 the Office for Civil Rights (OCR) announced an enforcement action against The Center for Children’s Digestive Health (CCDH) resulting in the payment by CCDH of $31,000 to the U.S. Department of Health and Human Services (HHS) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. OCR came to CCDH from an ancillary investigation of its business associate, FileFax, Inc., which stored records containing protected health information on behalf of its clients, including CCDH. The citation received resulting in the fine: failure for either party to produce a Business Associate Agreement.
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/ccdh/index.html
This determination is of particular interest (to me) because it is the first of its kind published by OCR. The message is coming in loud and clear – Business Associates – be on the watch because OCR may come knocking. For covered entities – also a message - the onus of a proper relationship with third party vendors will fall on you. Caveat Emptor.
