Not being able to produce a signed business agreement during a routine Department of Health and Human Services Office for Civil Rights compliance review cost a large healthcare company over $30,000 in 2017. This healthcare company agreed to the monetary settlement and corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act of 1996, OCR announced April 20. This entity had been disclosing protected health information to Filefax, who had been acting as a business associate and storing records containing protected health information since 2003. During the course of the OCR compliance review, neither could produce a signed business associate agreement prior to Oct. 12, 2015.
Under HIPAA, covered entities may only share PHI with business associates if they have a contract (business associate agreement) affirming the business associate will take appropriate steps to protect the PHI. A business associate is a person or entity that provides services or performs tasks on behalf of a covered entity that involves access to PHI. Business associates include third party administrators, subcontractors, and cloud providers.
OCR found that this Healthcare organization had unknowingly disclosed the PHI of at least 10,728 individuals to Filefax during this time because they had not obtained a business associate agreement stating Filefax would appropriately safeguard the PHI.