All HIPAA-covered entities must have signed Business Associate Agreements with contractors before any PHI is provided. The failure to obtain a signed BAA prior to PHI being provided could potentially result in a fine being issued by the Department of Health and Human Services’ Office for Civil Rights. Both the covered entity and Business Associate (BA) can be fined for a failure to comply with these rules.
Business Associate Agreements with Contractors and Vendors a Requirement Under HITECH/HIPAA
Since the introduction of the HITECH Act Business Associate Agreements with contractors have been mandatory, although it was not until February 18, 2010 that the new rules became enforceable.
The reason for the BAA is to ensure that any contractor or vendor is aware of HIPAA Rules covering the privacy and security of Protected Health Information. BA’s must agree to abide by HIPAA Rules and ensure that appropriate physical, technical, and administrative controls are put in place to safeguard patient data.
If a covered entity obtains a signed BAA from a contractor who subsequently fails to keep PHI secure, the covered entity may escape an OCR financial penalty, although covered entities should conduct periodic assessments to ensure that HIPAA Rules are being followed by their BAs.
The OCR is not the only body that can issue fines for breaches of HIPAA Rules. State attorneys general can also issue financial penalties for privacy and security breaches caused as a result of a failure to secure PHI. Only a few states have taken action against healthcare providers, insurers, and business associates for HIPAA violations to date (although a number have taken action against healthcare organizations who have also violated state regulations covering data privacy and security).
The State of Connecticut Office of the Attorney General has been quite active in assisting the OCR enforce HIPAA regulations. The Conn. OIG has arrived at financial settlements with healthcare providers found to have violated the privacy of state residents as a result of breaches of HIPAA regulations. Last week the Connecticut OIG arrived at a new settlement with Hartford Hospital and EMC Corporation for an alleged HIPAA violation dating back to 2012.
Hartford Hospital did not cause a data breach, but has agreed to a settlement along with one of its contractors – EMC Corporation – as a result of the exposure of 8,883 patient records following the theft of an unencrypted laptop computer from the home of an EMC employee.
EMC had been contracted to assist Hartford Hospital by conducting a data analysis of PHI in an effort to reduce hospital admissions. PHI had been provided to EMC, but a BAA had not been obtained. Following an investigation into the data breach by the Conn. OIG, both the healthcare provider and EMC agreed to settle the case and pay the state $90,000 to resolve all issues without admission of liability.
Hartford Hospital maintains that the data breach did not result in any patients coming to harm, and credit monitoring services were provided as a precaution. Following the discovery of the laptop theft, Hartford Hospital conducted a model data breach response, in accordance with state and HIPAA regulations. However, the settlement was necessary to resolve the issues surrounding the lack of a BAA.
The case against the healthcare provider and its BA highlights the importance of ensuring that a current, signed BAA is obtained from all contractors and vendors required to come into contact with patient PHI.