HIPAA Rules on Business Associate Agreements

This week, the HHS’ Office for Civil Rights (OCR) sent a warning to covered entities about the need to ensure HIPAA compliance rules on business associate agreements are followed. OCR announced a settlement had been reached with an Illinois healthcare provider for disclosing protected health information (PHI) without first obtaining a signed copy of a BAA.

What is a Business Associate Agreement?

Under HIPAA Rules, a business associate is classed as an entity or person that performs functions or activities on behalf of the covered entity that requires access to PHI. Prior to being provided with access to ePHI or physical records, a signed copy of a HIPAA-compliant business associate agreement must be obtained by the covered entity.

A business associate agreement is a contract between a covered entity and its business associate in which the responsibilities of the BAA with respect to either physical or electronic PHI are accurately described.

By signing the business associate agreement, the business associate is agreeing to comply with HIPAA Rules. After a signed BAA has been obtained by a covered entity, the business associate can be fined directly by OCR or state attorneys general for failing to comply with HIPAA Rules.

What are the HIPAA Rules on Business Associate Agreements?

A HIPAA-compliant business associate agreement must cover all of the responsibilities a business associate has with respect to PHI. The BAA must therefore:

  • Detail the permitted uses and disclosures of PHI by the business associate
  • State that the business associate must not disclose PHI to any unauthorized individuals
  • Explain the rules and requirements for providing PHI – or access to PHI – to a subcontractor
  • Explain the safeguards that are required to preserve the confidentiality, integrity, and availability of PHI
  • Cover the requirements for reporting breaches of PHI
  • Explain how PHI must be provided to meet HIPAA Privacy Rule requirements concerning patients’ requests to obtain copies of their PHI
  • The requirement to allow OCR or other regulatory bodies to access documentation relating to HIPAA Rules
  • The requirements following the termination of the business association
  • Authorize the covered entity to terminate the contract if the business associate is found to have violated the terms of the agreement or HIPAA Rules

A sample BAA can be obtained from OCR on this link.

Failure to Comply HIPAA Rules on Business Associate Agreements

Any covered entity that fails to comply with HIPAA Rules on business associate agreements can be fined by the Office for Civil Rights, as was demonstrated this week. The Center for Children’s Digestive Health agreed to pay $31,000 to resolve potential violations of HIPAA Rules after failing to obtain a signed copy of a business associate agreement before providing documents containing PHI to the storage firm FileFax.

Fines for failing to comply with HIPAA Rules on business associate agreements can be considerably higher. In September last year, Care New England Health System agreed to settle with OCR for $400,000 after disclosing PHI to a business associate without first obtaining a valid BAA.

In April 2016, Raleigh Orthopaedic Clinic, P.A. of North Carolina provided X-Ray films to a recycling firm to recover silver without first obtaining a BAA. Raleigh Orthopaedic settled the HIPAA violations with OCR for $750,000.

In March 2016, North Memorial Health Care settled with OCR for $1,550,000. The payment resolved multiple violations of HIPAA Rules, including the failure to obtain a signed BAA prior to providing PHI to a payment services provider.

The maximum penalty for violations of HIPAA Rules on business associate agreements is $1.5 million per calendar year that the violations have been allowed to persist. Covered entities should therefore ensure not only that a HIPAA-compliant BAA is obtained before disclosing PHI to any new business associate, but also that a valid BAA exists for all current vendors.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news