The Center for Children’s Digestive Health, S.C. (CCDH) has paid $31,000 and entered into a two-year corrective action plan with the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
HIPAA requires that Covered Entities and their Business Associates enter into written business associate agreements to ensure that protected health information is appropriately safeguarded. Failure to produce such an agreement may suggest the impermissible disclosure of protected health information.
The inability to produce a signed business agreement during a Department of Health and Human Services Office for Civil Rights compliance review cost the Center for Children’s Digestive Health $31,000.
CCDH agreed to the monetary settlement and corrective action planto settle potential violations of the Health Insurance Portability and Accountability Act of 1996, OCR announced April 20.
CCDH had been disclosing protected health information to Filefax, who had been acting as a business associate and storing records containing protected health information since 2003. During the course of the OCR compliance review, neither CCDH nor Filefax could produce a signed business associate agreement prior to Oct. 12, 2015.
Under HIPAA, covered entities may only share PHI with business associates if they have a contract (business associate agreement) affirming the business associate will take appropriate steps to protect the PHI.
Examples of HIPAA business associates
According to the HHS, examples of HIPAA business associates include:
- When a health plan uses a third-party administrator to help with claims processing.
- If a CPA firm provides accounting services to a healthcare provider and they have access to protected health information.
- When a hospital has a consultant perform utilization reviews.
- When a healthcare clearinghouse translates a claim from a nonstandard format to a standard format for a healthcare provider then sends the process transaction to a payer.
- When a physician uses an independent medical transcriptionist’s services.
- When a pharmacy benefits manager managed a health plan’s pharmacist network.
- Mobile application developers could also be considered HIPAA business associates because many healthcare mobile applications handle PHI.