To all you physicians out there, listen, I get it. You’re busy practicing medicine, doing your job, your time is limited, and you can’t be in two places at once. And you certainly can’t look out for everything that is going on in the back office all the time. But, you should take some time to make sure that your HIPAA compliance is where it needs to be. Otherwise, you could be looking at a costly problem that could have been avoided with just a minimal bit of attention and effort. As you know, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires (among other things) that physicians and their medical practices safeguard their patients’ protected health information (PHI). One of the requirements is that you have a written Business Associate Agreement with a party with whom you share patients’ PHI so that the Business Associate is obligated to also safeguard the PHI. Last year, the Center for Children’s Digestive Health, S.C. (CCDH), a small, for-profit healthcare provider that operates a pediatric subspecialty practice in 7 clinic locations in Illinois found itself with a HIPAA problem that could have been easily avoided. CCDH used the services of Filefax, Incorporated (Filefax), a third party vendor, to store inactive paper medical records for patients of CCDH. The PHI of at least 10,728 individuals were transferred to Filefax as part of this arrangement, but, according to the U.S. Department of Health and Human Services, it appears that the files were transferred “without obtaining Filefax’s satisfactory assurances, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI.” Due to the lack of a written business associate agreement, CCDH was required to pay a Resolution Amount to HHS of $31,000. If you are not sure that you have all required business associate agreements in place with vendors or others with whom you share PHI, then you owe it to yourself, your bank account, and your patients to take the time to make sure that you have all necessary business associate agreements in place. If in doubt, you may want to speak to an attorney about your situation who can advise you regarding the requirements of HIPAA and can draft any needed business associate agreements.
