According to Healthcare IT News, Center for Children’s Digestive Health shared PHI with FileFax, but didn’t have a BAA in place when it shared patient information with a business partner.
“The Center for Children’s Digestive Health, a small, for-profit pediatric subspecialty practice that operates seven clinic locations in the Chicago area, had contracted in 2003 with FileFax, a Northbrook, Illinois-based firm that stores medical records. Despite the fact that the files contain protected health information, an investigation from HHS’ Office for Civil Rights discovered that neither party could show a signed business associate agreement prior to Oct. 12, 2015. In May of 2015, the Illinois Attorney General brought suit against FileFax for improper handling of PHI, charging that its employees had tossed the paper medical records of thousands of patients into an unlocked dumpster.” (Healthcare IT News, April 2017).
Use this time to look through your documentation. If you need help, call us. We can help you identify where a BAA is required and where it isn’t. We also have a cloud-based documentation repository to store all security and HIPAA related documentation.