Precipitating Event: None stated - probably anonymous report (disgruntled ex?) to HHS.
XYZ Medical Practice is a small, for-profit health care provider that operates a pediatric subspecialty practice in seven clinic locations across Illinois.
On August 13, 2015, HHS initiated a compliance review of XYZ Medical Practice to determine whether XYZ Medical Practice's disclosure of protected health information (PHI) to Filefax, Incorporated, a third-party vendor that stored inactive paper medical records for patients of XYZ Medical Practice, was permissible under HIPAA.
HHS's investigation revealed that XYZ Medical Practice failed to obtain satisfactory assurances from Filefax, in the form of a written business associate agreement, that Filefax would appropriately safeguard the PHI that was in Filefax's possession or control.
XYZ Medical Practice impermissibly disclosed the PHI of at least 10,728 individuals to Filefax when XYZ Medical Practice transferred the PHI to Filefax without obtaining Filefax's satisfactory assurances, in the form of a written business associate agreement.
minor modifications for readibility
"a small, for-profit health care provider"
This is just one of many small healthcare providers that have been fined by HHS.
Ask Yourself: Could your practice afford a $31k fine and four plus years of HHS in your business?
"form of a written business associate agreement"
If you give PHI to a third-party vendor, there must be a signed business associate agreement.
Ask Yourself: Have you gone through all of your third-party vendors?
"third-party vendor that stored inactive paper medical records"
Some practices, that use paper medical records, mistakenly think that HIPAA does not apply to them.
Ask Yourself: Do you mistakenly think that HIPAA does not apply to you?
The investigation started in August of 2015 but the resolution agreement was signed April 2017. The HIPAA Probation lasts 2 years till April 2019. These investigations and HIPAA probations take 5 years, on average.
Many case studies have an obvious precipitating event like a stolen laptop. This case does not mention a precipitating event. It is likely that an anonymous call/report was given to HHS regarding this incident. Could have been a disgrunted/former employees, ex in a relationship, or competitor. This case involved very specific/inside information.