Skip to main content

Business Associates Beware

If you haven't yet caught up with the new HIPAA Omnibus Rule and its consequences for those businesses who are not themselves healthcare providers, but are service providers to healthcare entities (and even further downstream than that....), you can take a listen to our recent webinar highlighting the most important changes and issues.

A recent settlement released by the Massachusetts Attorney General calls attention to the fact that improper disposal of medical records and personal information can cost you.  The owners of a medical billing practice and four pathology groups, whose patient information was all improperly disposed, will collectively pay $140,000 to settle the claims.

In July 2010 a Boston Globe photographer discovered a knoll of medical records at the Georgetown Transfer Station.  Goldthwait Associates, a medical billing practice, tossed the records of more than 67,000 Massachusetts residents at the public dump when they closed shop in May 2010.  The records included names, Social Security numbers, health insurance information and medical diagnoses.

The AG alleged that the owners of Goldthwait Associates improperly disposed of medical records and in doing so violated the Massachusetts Consumer Protection Act, the Massachusetts Data and Disposal and Destruction Act, and the Massachusetts Security Breach Act (including 201 CMR 17.00).  The pathology groups were charged with “failing to have appropriate safeguards in place to protect the personal information they provided to Goldthwait Associates” and not taking reasonable steps to retain a service provider that had appropriate security measures in place to protect personal information (PI) and protected health information (PHI).  The groups were alleged to be in violations of the Massachusetts Security Breach Act and HIPAA Privacy and Security Rules.

The complaint outlines steps that the groups did not take during their relationship with Goldthwait, which can serve as a to-do list when onboarding new vendors:

  1.  inquire about the vendor’s methods for ensuring adequate safeguards for protecting PI and PHI;
  2.  inquire about the vendor’s methods for disposing of PI and PHI;
  3.  inspect the vendor’s facilities;
  4.  request a copy of the vendor’s policies and procedures or contracts that detail the vendor’s method for disposing of PI and PHI;
  5.  verify that employees of the vendor who come into contact with PI or PHI are adequately trained regarding the appropriate methods for handling or disposing of such information.

The settlement agreement requires each pathology group to vet all business associates, ensuring they have a written information security plan and the practices described are sufficient to comply with the groups’ obligations to protect personal information and PHI.  The groups must also execute business associate agreements before disclosing any PI or PHI to service providers.  AG Coakley said, “Personal health information must be safeguarded as it passes from patients to doctors to medical billers and third-party contractors.”

Gagnon, the owner of Goldthwait Associates, told news sources that some of the groups were his clients for over 25 years, which may explain why they failed to have formal agreements in place.  This settlement underscores the importance of reviewing the practices of your vendors (even if your best friend owns the company) and signing agreements with them that cover the protection of PI and PHI.


Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.