Small medical practices who think they don’t need to worry about HIPAA privacy and security compliance had better think again. A 6-physician practice in the Chicago area recently paid the U.S. Department of Health and Human Services $31,000 to settle alleged violations of the HIPAA Privacy Rules.
The Center for Children’s Digestive Health, a pediatric gastroenterology practice, entered into a “Resolution Agreement” with HHS and adopted a corrective action plan on April 17, 2017. Two years ago, HHS initiated a compliance review of the Practice. HHS determined that the Practice had failed to enter into a Business Associate Agreement with it medical records storage vendor, Filefax, Inc. Over the years that it contracted with Filefax, the Practice disclosed the PHI of at least 10,728 individuals to Filefax. While there was no evidence of any breach of PHI, the Practice’s failure to enter into a Business Associate Agreement was a clear violation of the applicable HIPAA Privacy Rule.
A Business Associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information (“PHI”) on behalf of a health care entity covered by the HIPAA rules (a “Covered Entity”). The HIPAA Rules require that each Covered Entity that uses a Business Associate must enter into a written agreement requiring the Business Associate to meet certain minimum standards of confidentiality.
A review of the HHS website on which OCR posts examples of its enforcement actions reveals that most of the examples involve large hospitals, national drugstore chains, and large health insurance companies. See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement
The list of private practices facing enforcement actions appears to be growing, however. Many of the cases described on the website arose out of a complaint filed with HHS by an individual patient. Physicians, dentists and other private providers would be well advised to take another look at their practices to ensure that they have the necessary policies and procedures in place to comply with HIPAA.