Liability for HIPAA violations is taking many forms.
The Massachusetts attorney general settled a case involving an out of business medical billing company and the entities it was doing business for. The settlement was with Goldthwait Associates and four of its clients - Milford Pathology Associates, Milton Pathology Associates Pioneer Valley Pathology Associates, and Kevin Dole, M.D., former president of Chestnut Pathology Services. These entities did not have BAAs in place, some of the entities were doing business together for 25 years.
It was discovered that Goldthwait did not dispose of personal information in a proper manner by placing this data in a business trash bin open to other businesses in the building.
The complaint alleges that the pathology groups also violated HIPAA regulations by failing to have appropriate safeguards in place to protect the personal information they provided to business associate Goldthwait Associates. The complaint also alleged these entities violated state data security regulations by not taking reasonable steps to select and retain a service provider that would maintain appropriate security measures to protect such confidential information.
A quote from the AG' office highlights this point:
"Personal health information must be safeguarded as it passes from patients to doctors to medical billers and other third-party contractors."
If you need help understanding these rules, please contact Kinney & Larson.