Many small and growing healthcare organizations that are developing new lines of business and new products may find themselves handling protected health information (PHI) and transmitting that PHI to multiple parties.  Recently, the US department of Health and Human Services (HHS) has ramped up their advocacy in protecting and enforcing the rights of patients via stricter enforcement of HIPAA rules.  In 2014, there were only four reported HIPAA settlements.  In 2013 there were only five.

Already in 2017, there are SEVEN individual settlements, including a relatively small $31,000 settlement between The Center for Children’s Digestive Health (CCDH) and HHS.

While there are many more high profile and high dollar settlements than CCDH, the CCDH settlement is interesting because it underscores two of the more subtle points of the HIPAA rules:

1. You don’t have to be a massive hospital or nationwide provider to violate HIPAA
   • As described by HHS, “CCDH is a small, for-profit health care provider with a pediatric subspecialty practice that operates its practice in seven clinic locations in Illinois.”
2. A breach is not required for a HIPAA violation to occur
   • In the case of CCDH, the organization shared PHI with one of their vendors, Firefax, without first signing a Business Associate Agreement (BAA) which would assure CCDH that firefax would treat the PHI appropriately.

Beyond the $31,000 settlement, all involved parties will likely suffer far more in terms of lost reputation and customer concern.  The relatively simple step of requesting a BAA from technology vendors could have alleviated a 2 year investigation process and ultimately negative outcome.

CCDH’s is one instance in a string of recent settlements with HHS. In the recent settlements, small nuances and general unawareness has compromised protected health information resulting in large fines and major remediation.

I do have sympathy for CCDH.  Compliance can often seem secondary to furthering the health mission, product mission, or technology mission.  One of the most difficult tasks that healthcare organizations face is creating a culture of compliance – a culture that assists rather than inhibits development.

Dash enables organizations to configure and manage HIPAA compliance in cloud environments. We provide the insight to react to potential compliance issues before they become violations. Learn more about our compliance mission at www.dashsdk.com.