Small Provider Issued HIPAA Fine for Vendor’s Non-Compliance
If you share patient health data with a third-party vendor, you could be putting your practice at risk of a HIPAA fine!
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a HIPAA fine of $31,000 against the Illinois-based Center for Children’s Digestive Health (CCDH). The HIPAA fine was issued for a missing Business Associate Agreement (BAA) between CCDH and FileFax, its file storage vendor.
Listen to our live podcast from The National Council of Behavioral Health’s annual conference NatCon with CEO Marc Haskelson and Behavioral Health Channel Director David Kay.
Business Associate Agreements are a core part of the HIPAA Omnibus Rule. Omnibus went into effect in 2013. The Omnibus Rule made it mandatory for Business Associates to be HIPAA compliant.
Business Associates include all third-party vendors that are paid to handle Protected Health Information (such as health care data, patient names, dates of birth, addresses, social security numbers, etc.) in any way. Business Associates can include physical and cloud storage services, EHRs, telemedicine platforms, and billing firms, among others.
Your Vendors Could Put you at Risk
When OCR investigated FileFax, federal investigators discovered the missing BAA and went after CCDH. HIPAA compliance is starting to branch out to affect elements outside the four walls of your practice.
By not addressing the extensive privacy and security measures required by federal HIPAA regulation, you put your practice at risk of reputational and financial damage.
Additionally, violations uncovered by investigations into your vendors and Business Associates can trigger a full investigation of your practice. HIPAA investigations check your organization’s compliance against the full extent of the HIPAA rules, and could lead to even further fines across the scope of your business if you don’t have a HIPAA program.
That’s why it’s essential to have a HIPAA compliance program in place that protects your practice by addressing all of the regulatory requirements.
This $31,000 settlement with a small provider proves more than anything that HIPAA violations can come from some of the least expected places at any time. You need to be doing everything you can to protect your practice, no matter the size.
Compliancy Group gives behavioral health professionals confidence in their HIPAA compliance with The Guard™. The Guard is a web-based HIPAA compliance solution, built by former auditors to help simplify compliance.
Compliancy Group’s team of expert Compliance Coaches™ field questions and guide users through the implementation process, taking the stress out of managing compliance. The Guard is built to address the full extent of HIPAA regulation and allow clients to demonstrate their compliance with Seal of Compliance verification.
With The Guard, you can focus on running your practice while keeping patients’ data protected and secure.
Find out more about how Compliancy Group can help simplify your HIPAA compliance today!