Lack of Business Associate Agreements Proves Costly
Think your healthcare covered entity doesn’t need to establish and maintain Business Associate Agreements (BAA) with companies who can access your patients’ protected health information (PHI)? Think again.
Cases in Point
March 2016 — North Memorial Health Care agreed to pay the U.S. Department of Health and Human Services (HHS) $1,550,000 to settle charges that it potentially violated HIPAA Privacy and Security Rules by failing to implement a BAA with a major contractor and failing to institute an organization-wide risk analysis.
April 2016 — Raleigh Orthopedic Clinic, P.A. of North Carolina agreed to pay HHS $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over PHI for approximately 17,300 patients to a potential business partner without first executing a BAA.
September 2016 — Care New England Health System agreed to pay HHS $400,000 for failing to update an existing written BAA on behalf of each of the covered entities under its common ownership or control in a timely manner. The BAA was issued in March 2005 and not updated until August 2015. In 2012, one of their covered entities discovered unencrypted backup tapes containing electronic PHI were missing.
April 2017 — The Illinois-based Center for Children’s Digestive Health agreed to pay HHS $31,000 for failing to have a BAA with a company they hired to store records containing PHI.
Take Corrective Action
The lesson here is to do now what these entities should have done, in the first place:
- Develop, maintain, and revise policies and procedures to comply with HIPAA Privacy and Security Rules;
- Designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate;
- Create a standard template BAA;
- Establish a standard process for maintaining documentation of a BAA for at least six years beyond the date of termination of a business associate relationship; and
- Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.