Lack of a Business Associate Agreement - a $750,000 Mistake

Covered entities are required to have business associate agreements with any business associate that provides services which may involve the use of, access to or disclosure of protected health information. Lacking such agreements could be a costly mistake for your practice.

HIPAA audits, as mentioned in recent blogs, continue to be on the rise. In addition to the federal government auditing practices to ensure they are in compliance with HIPAA policies, they are now looking closely at business associate agreements.

Business associate agreements are formal agreements with contractors or suppliers who may come into contact with protected health information (PHI) while working with your practice.

A covered entity, as defined by the Department of Health and Human Services (HHS), is required to have a business associate agreement with any business associate that provides services which may involve the use of, access to or disclosure of PHI.

The importance of business associate agreements was recently realized by an orthopedic group in Raleigh, North Carolina. The group used a supplier for extracting silver from their x-rays as they transferred them to electronic media. 

Due to the lack of a business associate agreement, when the PHI of 17,300 patients was exposed, the HHS Office of Civil Rights fined the group $750,000. Additionally, the HHS put a two year corrective action plan in the practice that included:

  • Providing the HHS with the number, name and copies of all business associate agreements
  • Revising policies and procedures with regard to business associate agreements, including:
    • Designating an individual responsible for business associate agreements
    • Maintaining documentation of business associate agreements for at least six years after a relationship is terminated
    • Creating a policy for determining the need for business associate agreements, along with an agreement template and limit disclosures
  • Providing training materials for the HHS to review and approve, followed by documentation of annual employee training, and training for new hires within 15 days of employment
  • Providing annual reports to the HHS

For more information and to read the entire corrective action plan, visit the HHS website. Their website also has a business associates’ page that details when an agreement is needed, and the cases where agreements may not be required. It should be noted that this information should be discussed with your attorney before any final decisions are made.

For additional information on business associate agreements, the HHS Website also offers a template and sample provisions for creating your own agreement.

*This blog was authored by Veronica Brattstrom and Kathy Everitt. 

This website uses first party and third party cookies to improve your experience and anonymously track site visits. By visiting this website, you opt-in to the use of cookies. OK