Under HIPAA, a business associate is defined as a person or entity, other than a member of the workforce of a covered entity, who “performs functions or activities on behalf of, or provides certain services to, a covered entity that involve access by the business associate to protected health information.”
HIPAA requires that covered entities enter into contracts with business associates to ensure appropriate safeguarding of protected health information.
“If your business associate has a breach, your practice must report the breach to OCR and your patients,” Mr. Mikel said in an interview. “The OCR will then investigate your practice and your relationship with the business associate. Just because the breach and fault clearly happened elsewhere, you will still be investigated, and could face a penalty if HIPAA requirements weren’t met.”
Who? Filefax of Northbrook, Ill.
What happened? The OCR opened an investigation after receiving an anonymous complaint that medical records obtained from Filefax, a company that provided storage, maintenance, and delivery of medical records for health professionals, were left unmonitored at a shredding and recycling facility. OCR’s investigation revealed that a person left the records of 2,150 patients at the recycling plant and that the records contained protected health information, according to an HHS announcement. It is unclear if the person worked for Filefax.
MarkLevant/iStock/Getty Images Plus
What else? The OCR discovered that, in a related incident, an individual who obtained medical records from Filefax left them unattended in an unlocked truck in the Filefax parking lot.
How much? The OCR imposed a $100,000 fine on Filefax. The company is no longer in business; however, a court-appointed liquidator has agreed to properly store and dispose of the remaining records.
Lessons learned: Although the case did not involve a health provider, the circumstances are applicable to physicians, particularly when practices move or close, Mr. Mikel said. In some cases, a former patient may contact a shuttered practice only to learn their record cannot be located, or worse, that a breach has occurred.
“[Such a case is] ripe for a patient to complain to OCR,” he said. “OCR doesn’t care if you’re closed or retired, they’re going to look.”
HIPAA requires thatcovered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information in any form when moving or closing. The safeguards must prevent prohibited uses and disclosures of protected health information in connection with the disposal of such information, according to the rule. The HHS provides guidance for the disposing of medical records; further, the American Academy of Family Physicians has created a checklist on closing a practice that addresses the transferring of medical records.
Without taking the correct measures, doctors may end up drawing scrutiny from OCR and face a potential fine if violations are found, experts said.
“Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them,” Mr. Severino of the OCR said in a statement. “HIPAA still applies.”