An Illinois pediatric digestive health practice has settled alleged Health Insurance Portability and Accountability Act violations stemming from the disclosure of more than 10,000 patients’ health information to a document-storage company without securing assurances that the data would be safeguarded, the U.S. Department of Health and Human Services announced last Thursday. The Center for Children’s Digestive Health has paid the agency $31,000 and agreed to take corrective actions after an HHS compliance review revealed that the health care provider disclosed the protected health information of at least 10,728 people to FileFax Inc. without obtaining a written business associate agreement that the company would protect the data, as required by HIPAA, according to the April 17 resolution agreement. The health care provider, which has seven clinic locations in Illinois, does not admit liability by agreeing to the settlement, the pact said.
HHS’ Office for Civil Rights launched a compliance review in August 2015 after the initiation of an investigation into FileFax, trying to determine whether CCDH’s disclosure of health information to the document storage company was permissible under HIPAA’s Privacy Rule. That May, Illinois Attorney General Lisa Madigan had hit FileFax with a suit accusing the Chicago-area company of exposing thousands of patient medical records that contained names, birthdates, Social Security numbers and other sensitive personal information, according to a news release from the time.
Hundreds of files containing complete medical records were discovered in a Dumpster outside of FileFax’s office, the suit alleged. HHS’ probe revealed that though CCDH, an entity covered by HIPAA, began disclosing this information to FileFax in 2003, neither party could produce a signed business associate agreement before Oct. 12, 2015, the agency said. In addition to the monetary payment, CCDH agreed to a corrective action plan, requiring the health care provider to make a number of changes to its policies and procedures to comply with the federal standards governing the protection of health information.
Among other things, the medical practice is required to establish a process for assessing current and future relationships to determine whether each is with a “business associate” under HIPAA and a procedure for limiting disclosures of protected health information to business associates to the minimum amount necessary, according to the plan. CCDH’s revised policies and procedures will then go to HHS for approval, at which point they must be distributed to members of the workforce, who will receive training about them, the plan said. The medical practice must comply with the obligations laid out in the plan for two years after the effective date.
Additionally, CCDH is required to keep HHS abreast of the names of its business associates and vendors that create, receive, maintain or transmit health information on its behalf, providing copies of the agreements it maintains with them, according to the plan.