06.22.2017 Back to News

HIPAA Alert: Lack of a Business Associate Agreement Violated Privacy, Cost Health Care Provider $31K

Are Appropriate Business Associate Agreements in Place?  

Do you understand the danger of allowing a vendor access to protected health information without having a Business Associate Agreement in place?

Recently, a pediatric practice in Illinois failed to follow HIPPA guidelines in its dealings with a third-party vendor. The lack of a written Business Associate Agreement cost the practice $31,000.

In April 2017, the Center for Children’s Digestive Health (CCDH) in Illinois agreed to pay the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan. 

This financial penalty was in resolution to a 2015 compliance review initiated by the HHS following an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH. CCDH began disclosing PHI to Filefax in 2003, yet neither party could produce a signed Business Associate Agreement prior to Oct. 12, 2015. 

Learn More

  • For more information on this particular case, including the resolution agreement and corrective action plan on the HHS website, click here

  • For questions about HIPAA, contact HIPAA Privacy Officer Zorana Vojnovic at (402) 354-6863 or zorana.vojnovic@nmhs.org.