Lack of a Business Associate Agreement can be a Costly Mistake

According to the HIPAA Office for Civil Rights, one of the most common HIPAA violations is the lack of business associate agreements.

Business associate agreements are formal agreements with all the contractors/suppliers who may come into contact with, have access to, or disclose protected health information (PHI) to while at your practice.

Examples of HIPAA business associates include:

  • A third-party administrator to help with claims processing
  • A consultant performing utilization reviews
  • An independent medical transcriptionist
  • A mobile application developer

Just how important are business associate agreements? 

An orthopedic group in Raleigh, N.C. realized the value of business associate agreements the hard way. The group utilized a supplier for extracting silver from their x-rays as they transferred them to electronic media, a practice which may also be prevalent in dental offices.

Due to a lack of a business associate agreement when the PHI of 17,300 patients was exposed, the U.S. Department of Health & Human Services (HHS) Office of Civil Rights fined the orthopedic group $750,000 and implemented a two-year corrective action plan which included:

  • Providing the HHS the number, name and copies of all business associate agreements
  • Revising its policies and procedures with regard to business associate agreements
    • Designating an individual responsible for the business associate agreements
    • Initiating a policy for maintaining documentation of the agreement six years after the relationship is terminated
    • Creating a policy for determining the need for business associate agreement, along with a template and limit disclosures
  • Providing training materials for HHS review and approval followed by documentation of employee annual training within 15 days of employment
  • Providing annual reports to the HHS

For more information and to read the entire corrective action plan for this group, visit the HHS website.

If you qualify as a covered entity, your HIPAA policy/procedure manual should contain the policies and procedures used in determining the necessity of a business associate agreement with a vendor. The manual should also include:

  • How you review and update agreements
  • How to respond to any violations of the agreement
  • The business associate’s responsibility to you and to protecting your patient’s PHI
  • Define the potential financial and reporting responsibilities of a breach 

For more information on business associate agreements from HHS, you can review their Business Associates page. As always, discuss the issue with your business attorney.

Contact PSIC if you have any further questions regarding business associate agreements.

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK