[ Friday, April 21, 2017 ]
A Small Fine:
Jeff [1:25 PM]
one of their smallest HIPAA fines yesterday. Center for Children's Digestive Health, in suburban Chicago, agreed to pay a $31,000 fine for failing to have a BAA in place with its document management and destruction company, FileFax. The press release indicated that the investigation started with an "investigation of a business associate," which is presumably FileFax.
Given the timing (the CCDH investigation started August 2015), it's likely that the entire matter started in February 2015, when someone went dumpster-diving
to collect paper to sell to a recycler. The paper included a lot of medical records from Suburban Lung Associates, another Chicagoland healthcare provider. The recycler let the Illinois AG know, who started an investigation of Suburban Lung, which led to the provider's document management vendor, FileFax. Presumably, OCR was notified and commenced an investigation of FileFax, which led them to discover CCDH as another FileFax customer with no BAA, despite the fact that CCDH had used FileFax since the beginning of the HIPAA era.
I suspect that no PHI from CCDH was known to be improperly disclosed by FileFax, so there's a "no harm" element here that kept the fine down. I also suspect that CCDH has good HIPAA policies and procedures, cooperated fully with OCR, and quickly resolved any outstanding HIPAA violations. This could also be an indication that OCR is interested in some "commodity" style enforcement actions: instead of rare but huge fines for egregious breaches, OCR may be looking to increase the number of settlements while reducing the dollar amounts, to encourage resolution of existing cases and increase compliance by making the possibility of a fine more likely, even though the dollar amount would be lower. $30,000 still stings for a small business.
Blogger: HIPAA Blog - Edit your Template