Healthcare IT News reports that the Center for Children’s Digestive Health shared protected health info with FileFax, but didn’t have a BAA in place.
The failure of one Illinois specialist to procure a business associate’s agreement has cost it more than $30,000 in a settlement with The U.S. Department of Health and Human Services
The Center for Children’s Digestive Health, a small, for-profit pediatric subspecialty practice that operates seven clinic locations in the Chicago area, had contracted in 2003 with FileFax, a Northbrook, Illinois-based firm that stores medical records.
Despite the fact that the files contain protected health information, an investigation from HHS’ Office for Civil Rights discovered that neither party could show a signed business associate agreement prior to Oct. 12, 2015.
In May of 2015, the Illinois Attorney General brought suit against FileFax for improper handling of PHI, charging that its employees had tossed the paper medical records of thousands of patients into an unlocked dumpster.
That summer, during a compliance review of Center for Children’s Digestive Health, OCR found that CCDH had “failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI” that was in the company’s possession.
Read the entire Healthcare IT News story here.
Discover how to avoid this scenario with Fortified’s Third Party Risk Management offering that protects your data, manages risk, and empowers third party relationships with a scalable, comprehensive vendor security program. Contact us for a free consultation.