Illinois Provider Pays $31,000 HIPAA Settlement Due to Lack of BA Agreement

The Center for Children’s Digestive Health has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule and agreed to implement a corrective action plan, according to HHS.

CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois. 

HHS reports that in August 2015, the HHS Office for Civil Rights (OCR) initiated a compliance review of the Center for Children’s Digestive Health following an initiation of an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for the healthcare provider. While Center for Children’s Digestive Health began disclosing PHI to Filefax in 2003, neither party could produce a signed Business Associate Agreement (BAA) prior to Oct. 12, 2015, according to HHS. Additionally, neither party could produce a signed BAA prior to Oct. 2015, HHS stated.

HHS also has issued guidance regarding business associate agreements, which can be found here.