The Center for Children’s Digestive Health (CCDH) agreed to a settlement worth $31,000 after the Office for Civil Rights (OCR) discovered there was no business associate agreement before 2015.

A press release from the OCR dated April 20 outlines a new HIPAA settlement case between the OCR and the Center for Children’s Digestive Health. This new settlement is worth $31,000 for a non-existent business associate agreement before 2015.

In 2015, the OCR started reviewing FileFax, Inc., which stored protected health information (PHI) for CCDH. The press release doesn’t specifically state the reason for reviewing FileFax; however, it probably stems from the impermissible dumping of medical records in a trash dumpster in Illinois.

During the review, the OCR discovered that FileFax did not have a business associate agreement with CCDH before 2015. CCDH had been disclosing PHI to FileFax since 2003.

Remember: Any third party that has access to PHI for a covered entity must sign a business associate agreement with the covered entity.

In addition to the fine, CCDH has agreed to a corrective action plan, which requires that the organization develop, maintain, and revise written policies as necessary. CCDH will also have to adopt and train on those specific policies. The OCR specified that the policies under the corrective action plan must include business associate agreements.

This case is a clear example of how important it is to have business associate agreements in place for all third parties accessing PHI. It also shows that the OCR will look at absolutely everything during a review, including other organizations outside of the one being reviewed.

To learn more about business associate agreements, start creating them, and have a place to store them digitally, sign up for the HIPAAgps HIPAA compliance tool today.