Lack of Business Associate Agreement Leads to $31K HIPAA Fine

The case against Illinois-based Center for Children’s Digestive Health offers a cautionary lesson about the compliance implications of storing paper medical records after an organization undergoes digitization.

Aldrin Brown, Editor-in-Chief

April 27, 2017

2 Min Read
Lack of Business Associate Agreement Leads to 31K HIPAA Fine

An Illinois pediatric health chain paid a $31,000 HIPAA breach penalty this month after the company it hired to store and manage old paper medical records instead dumped them into an unlocked trash bin at an office park.

Center for Children’s Digestive Health (CCDH) – which operates seven clinics across the state – is among several health care businesses allegedly victimized by the Northbrook, Ill., document storage company FileFax, Inc.

The case offers an important reminder about the compliance implications of storing paper medical records after an organization undergoes digitization.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) alleged that CCDH violated the HIPAA privacy rule by failing to properly engage FileFax’s services.

“CCDH failed to obtain satisfactory assurances from FileFax, in the form of a written business associate agreement, that FileFax would appropriately safeguard the PHI (protected health information) that was in FileFax’s possession or control,” federal authorities wrote in a resolution agreement. “CCDH impermissibly disclosed the PHI of at least 10,728 individuals to FileFax…”

In May of 2015, FileFax was sued by the Illinois Attorney General for allegedly dumping the medical records of thousands of people into an unlocked trash container at a business park.

A person rummaging in the garbage reportedly went to a nearby paper shredding and recycling business, seeking cash for 1,100 pound of paper she’d found, according to an article in the Chicago Tribune.

The recycling business owner recognized the documents as medical records belonging to nearby Suburban Lung Associates, and notified the attorney general’s office.

“This company brazenly violated the law and jeopardized the personal information and privacy of thousands of Illinois residents,” Illinois Attorney General Lisa Madigan said in a release at the time.

The PHI element prompted OCR to launch its own probe, which reached CCDH in the form of a compliance review on August 13, 2015.

“While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015,” OCR officials said in a statement.

FileFax officials did not respond to a request for comment from the Chicago Tribune at the time of the lawsuit.

A phone number listed for the business has been disconnected.  


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like