For those of you who follow this blog, one thing will become evident over time: one of my co-authors, Tim Gutwald, and I frequently blog about HIPAA-related privacy issues.  That’s because both of our practices include a fair amount of HIPAA work.  And, one tends to write about what they are passionate about (to the extent that one can be passionate about HIPAA).

HIPAA can be scary for two reasons: (1) compliance can be difficult; and (2) fines for noncompliance can be expensive.  But, there are certain things that entities can do to reduce the risk of HIPAA fines, such as seek assistance from a professional who is well-versed in HIPAA (we are happy to assist).  Arguably the simplest thing you can do is audit your list of vendors who deal with your entity’s Protected Health Information (PHI)—called “business associates”—to ensure a proper Business Associate Agreement (BAA) is in place.

A recent enforcement action by HHS’s Office of Civil Rights (OCR) highlights why this is an important step.  In April 2017, the Center for Children’s Digestive Health (CCDH) entered into a resolution agreement with OCR to settle a potential HIPAA violation.  The HIPAA violation: the failure to have a BAA with one of its business associates.  The price of that violation: $31,000.

Here are some key takeaways from this OCR enforcement action:

• For those of you who follow HIPAA enforcement actions by OCR, $31,000 may seem like a relatively small fine when compared to other OCR enforcement actions (which usually include fines in the hundreds-of-thousands, if not millions, of dollars). CCDH is a small, for-profit health care provider with a pediatric subspecialty practice in various locations throughout Illinois.  And fines under resolution agreements with OCR tend to vary by an entity’s size, with smaller entities owing smaller fines.  (In fact, in September 2016, OCR entered into a resolution agreement with a much larger entity for a BAA failure.  That fine was $400,000.)
• OCR’s investigation of CCDH was not initiated by a complaint or a breach notification. Rather, it began as a result of OCR’s investigation of the CCDH’s business associate in which CCDH failed to enter into a BAA.  Since there are at least two parties to each BAA, this doubles the chances of an OCR enforcement action related to the failure to enter into a BAA.

Please contact any member of Miller Johnson’s Privacy and Data Security team if you have any questions or would like assistance in reviewing your vender list to ensure that appropriate BAAs are in place where necessary.