The Office of Civil Rights entered into a settlement with a small non-profit provider because the provider could not produce a written business associate agreement with a vendor using protected health information. The settlement requires the children's GI center to pay a $31,000 in addition to costly corrective actions. There are two (2) lessons here: (1) all providers should ensure business associate agreements are in place with vendors using PHI and (2) contract management systems are vital. If you have any concerns about your organization's compliance with the HIPAA Privacy or Security Rule, please contact us.
The settlement can be found here.
The settlement can be found here.