The CCDH settlement arose from an investigation of CCDH’s business associate, FileFax, Inc. FileFax came under scrutiny from OCR and the Illinois Attorney General in 2015 after allegations that it had disposed of paper medical records of a health care provider client in a dumpster.  In connection with the FileFax investigation, OCR initiated a compliance review of CCDH.  Although CCDH had been disclosing protected health information (“PHI”) to FileFax since 2003, the two companies did not enter into a business associate agreement until October 2015.  All told, CCDH disclosed the PHI of nearly 11,000 individuals without having the appropriate safeguards in place.

The main takeaway from both settlements is that covered entities must ensure that their HIPAA programs are compliant, robust, and well-documented. In both instances, the underlying breach may have been avoided by having an appropriate HIPAA compliance program in place.  However, even if the covered entities’ compliance programs hadn’t avoided the laptop theft or the bad conduct of a vendor, their real trouble began when OCR looked at broader non-compliance issues within the organization.