Lack of Business Associate Agreement Leads to $31K HIPAA Fine

An Illinois pediatric health chain paid a $31,000 HIPAA breach penalty this month after the company it hired to store and manage old paper medical records instead dumped them into an unlocked trash bin at an office park.

Center for Children’s Digestive Health (CCDH) – which operates seven clinics across the state – is among several health care businesses allegedly victimized by the Northbrook, Ill., document storage company FileFax, Inc.

The case offers an important reminder about the compliance implications of storing paper medical records after an organization undergoes digitization.

Investigators from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) alleged that CCDH violated the HIPAA privacy rule by failing to properly engage FileFax’s services.

“CCDH failed to obtain satisfactory assurances from FileFax, in the form of a written business associate agreement, that FileFax would appropriately safeguard the PHI (protected health information) that was in FileFax’s possession or control,” federal authorities wrote in a resolution agreement. “CCDH impermissibly disclosed the PHI of at least 10,728 individuals to FileFax…”

In May of 2015, FileFax was sued by the Illinois Attorney General for allegedly dumping the medical records of thousands of people into an unlocked trash container at a business park.

A person rummaging in the garbage reportedly went to a nearby paper shredding and recycling business, seeking cash for 1,100 pound of paper she’d found, according to an article in the Chicago Tribune.

The recycling business owner recognized the documents as medical records belonging to nearby Suburban Lung Associates, and notified the attorney general’s office.

“This company brazenly violated the law and jeopardized the personal information and privacy of thousands of Illinois residents,” Illinois Attorney General Lisa Madigan said in a release at the time.

The PHI element prompted OCR to launch its own probe, which reached CCDH in the form of a compliance review on August 13, 2015.

“While CCDH began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015,” OCR officials said in a statement.

FileFax officials did not respond to a request for comment from the Chicago Tribune at the time of the lawsuit.

A phone number listed for the business has been disconnected.  

Send tips and news to [email protected].