Are Your Business Associate Agreements and Policies Solid? Earlier This Year Small Provider Paid $31K for Its BAA Mistake

The Center for Children’s Digestive Health (CCDH) is a covered entity, as defined.at 45 C.F.R. § 160.103 and is required to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). CCDH is a small seven center pediatric practice based in Illinois. In April of this year, it entered into a Resolution Agreement with Department of Health and Human Services (HHS) for an alleged Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule violation.  CCDH could not provide evidence that it had a Business Associate Agreement in place with its Business Associate FileFax, Inc. that covered the time FileFax had stored protected health information (PHI) on behalf of CCDH.

Pursuant to the terms of the Resolution Agreement dated April 14, 2017 CCDH paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle an alleged HIPAA violation).  In addition, the CCDH agreed to implement a corrective action plan, the terms of which were set out in the Resolution Agreement. 

On May 6, 2015 the Attorney General office in Illinois filed a lawsuit against FileFax, Inc. document storage company for exposing thousands of patient medical records containing names, dates of birth, social security numbers and other sensitive personal information when it improperly disposed of the records on behalf of its client Suburban Lung Associates (SLA).  CCDH was also a client of FileFax. FileFax stored records containing protected health information (PHI) on behalf of CCDH.

Because CCDH was also a client of FileFax, in August 2015, the HHS Office for Civil Rights (OCR) conducted a compliance review of CCDH that stemmed from OCR’s investigation of FileFax, a business associate of CCDH. CCDH began disclosing PHI to Filefax in 2003.  Neither CCDH nor FileFax could provide evidence that an executed Business Associate Agreement (BAA) was in place between 2003 and the time of the OCR review.  The only agreement in place between CCDH and FileFax was one dated Oct. 12, 2015, twelve years after the Business Associate relationship begun.

HHS Findings

HHS' investigation determined that “CCDH failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI that was in Filefax's possession or control.” It also concluded that “CCDH impermissibly disclosed the PHI of at least 10,728 individuals to Filefax when CCDH transferred the PHI to Filefax without obtaining Filefax' s satisfactory assurances, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI.

Resolution Agreement

Financial Penalty

CCDH paid $31,000.00(Resolution Amount) on the Effective Date of the Resolution Agreement, April 14, 2017

Corrective Action Plan

In addition, CCDH was required to implement a Corrective Action Plan that mandated CCDH, among other things, to develop, maintain, and revise, as necessary its written policies and procedures to comply with the Federal standards that govern the privacy and security of individually identifiable health information.  Additionally, CCDH had to distribute those policies, and maintain evidence that such policies were distributed.

The Resolution Agreement provided further that the policies and procedures at minimum had to include measures that address the following Privacy and Security Rule provisions:

Business Associate Agreements - 45 C.F.R §§ 164.308(b) and 164.502(e), including:

(a) the designation of one or more individual(s) who are responsible for ensuring that CCDH enters into a business associate agreement with each of its business associates prior to disclosing PHI to the business associate;

(b) the creation of a standard template business associate agreement;

(c) a process for assessing current and future business relationships to determine whether each relationship is with a business. associate; 

(d) a process for negotiating and entering into business associate agreements with business associates prior to disclosing PHI to the business associates;

(e) a process for maintaining documentation of business associate agreement for at least 6 years beyond the date of when the business associate relationship is terminated; and

(f) a process to limit disclosures of PHI to business associates that complies with the minimum necessary rule.

Privacy Training - 45 C.F.R. § 164,530(b)(1), which requires a covered entity to train all members of its workforce on the policies and procedures with respect to protected health information as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.

Security Awareness Training - 45 C.F.R. § 164.308(a)(5)(i), which requires a covered entity to implement a security awareness and training program for all members of its workforce.


How to Avoid These HIPAA Violations: The Lessons Learned

LESSON #1 –Develop a Process to Properly Identify Business Associates

Develop a process to assess current and future business relationships to determine which vendors, consultants, and sub-contractors meet the definition of a Business Associate.

This process should include a review of the scope of work of existing and new contracts to determine if the entity or individual will create, receive, maintain, or transmit protected health information on your behalf.  Be sure to examine business relationships where a contract may not be in place to determine if the entity or individual has or may have access to PHI in the scope of performing services on your behalf. 

Remember that business relationships are often times evolving and the compliance and legal team (or those responsible for ensuring that a Business Associate Agreement is in place) are not always brought up-to-date in real time.  If it is your job to see that Business Associate Agreements are properly executed, periodically ask questions of team members who directly interact with those potential business associates to ascertain the current and actual scope of work being performed.  You must ensure that the scope of work has not changed to include access protected health information or individually identifiable health information, where a Business Associate Agreement is now required.

Often time Business Associates are not properly identified because team members are not aware that the vendor or consultant will (or may) have access to PHI.  A few examples of type of vendor or consultant that are sometimes missed (not properly identified as Business Associates) are listed below: 

  • Fax Service Providers. There is a conduit exception related to Business Associate Agreements that provide that when information is just passing through a Business Associate Agreement is not required (for example, sending information with a carrier i.e. FedEx, UPS, USPS). This exception is sometimes erroneously applied to fax service providers. Fax service providers do not simply pass a fax from one point to another. Incoming and outgoing faxes are generally stored en route by the fax provider. 
  • Shedder Companies and File Storage Companies. Companies that store information such as FileFax, even if they don’t have a reason to access it are business associates. The applies to shedder companies.
  • Information Technology Providers.  Entities and persons that provide certain IT services are often over looked, such as:
    • Apps to process PHI
    • Backup storage companies
    • Cloud based software vendors that store PHI
    • Cloud hosting services
    • Electronic data destruction services
    • Electronic security tools
    • Technical support teams that have access to PHI

Note: You should consult with your legal team to help you determine if a Business Associate Agreement is necessary.  Many companies will refuse to sign Business Associate Agreemens if it is not clear that one is required, as their attorneys may advise them against agreeing to take on the liability and obligations or a Business Associate Agreement if it not required by HIPAA. 

LESSON # 2 –Develop a Process to Ensure That When Required, a Business Associate Agreement is Executed Timely

Have a process in place to ensure that Business Associate Agreements are entered into prior to disclosing PHI. The first step is deciding if an entity or individual that is performing work on your behalf meets the definition of a business associate.  The next step is making sure that agreement is executed prior to disclosing PHI. You will have to determine what workflow works best for your company. The bottom line is to find an effective process that your team can and will flow.  

LESSON # 3 –Perform Your Due Diligence Before Disclosing PHI

A HIPAA Business Associate Agreement does not release you from liability or from your duty to perform due diligence.  You should perform some level of due diligence before the Business Associate Agreement is executed.  You should trust and have satisfactory assurances that the Business Associate can be trusted with the your clients' PHI.  Conduct a risk assessment and request a copy of the Business Associate’s internal HIPAA policies.  In addition, monitor whether the Business Associate’s employees have had Privacy and Security training, request logs of security and privacy incidents, and perform periodic audits. Finally, make sure your contract provides that you have the right to monitor and audit for HIPAA compliance.

LESSON # 4 –Ensure that Your Business Associate Agreements Have the Required Terms and Are Up-to-Date.

Review Business Associate Agreements to ensure that Business Associate Agreements contain all the regulatory required terms.  Develop a Business Associate Agreement template and note which terms must remain so that they are not inadvertently negotiated out of the agreement. Consult with your legal team to ensure that your Business Associate Agreement template is solid.

Make sure your agreements are still in effect.  Having an expired Business Associate is the same as not having one.

LESSON # 5 –Maintain Evidence of Executed Business Associate Agreements

Have a document retention policy in place that provides guidance for how long you should maintain copies of your Business Associate Agreements.  How long you retain copies of your Business Associate Agreement will depend on your companies record retention policy, your state law requirements, and what is required under HIPAA.  To meet HIPAA requirements, you should maintain copies of the agreement for at least six years after the expiration of the agreement.