Eric Fader was quoted in an April 25 article, Health-Care Provider Pays $31K for Lack of Privacy Contract with Vendor, in Bloomberg BNAs Health Care Daily Report and other publications. The article reports that the Illinois-based Center for Childrens Digestive Health (CCDH) may have violated HIPAA when it failed to sign a business associate agreement with a vendor, FileFax, Inc., before transferring nearly 11,000 paper medical records to FileFax for storage.
Under a recent resolution agreement, CCDH agreed to pay the Department of Health and Human Services Office for Civil Rights (OCR) $31,000 and enter into a two-year corrective action plan. Eric told Bloomberg BNA that the $31,000 settlement appears small considering the severity of FileFaxs underlying offense, disposing of unneeded patient records in an unlocked outdoor dumpster rather than shredding them.
This is a reminder from the OCR that a covered entity bears the ultimate responsibility when its business associate fails to comply with its HIPAA obligations, Eric said. Signing a business associate agreement, ideally after both parties have actually read it, will help to educate any entity that still hasnt figured out its responsibilities under HIPAA, he added.