Provider charged with $31k fine for failing to have third-party HIPAA agreement

A lesson learned from an Illinois hospital could save skilled nursing facilities a lot of money.

Skilled nursing facilities (SNFs) often use third-party business associates to get work done, including storage of files, web portal services, therapy services and dozens of other arrangements that could include protected health information under the Health Insurance Portability and Accesibility Act (HIPAA).

Ensuring that all those external business partners are contractually compliant with HIPAA mandates to protect the security of federally protected health information is the responsibility of the SNF—or any other health facility where the patient information originates.

Chicago’s Center for Children’s Digestive Health just found out the hard way what can happen when third-party business contracting fails to pin down the details. The center was fined $31,000 for failing to ensure it had a formal business associate agreement (BAA) with one of its third-party partners, FileFax, a medical records storage company.

In 2015, paper records for thousands of patients were found in an unsecured dumpster. A Health and Human Services investigation then charged the hospital, saying it "failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI" that was in the company's possession.

The center also was required to develop policies and procedures to train its staff on remaining compliant with federal HIPAA policies, including proving that it has a signed BAA for each one of its business partners.


Topics: Executive Leadership , Risk Management