Business Associate Agreements Are Critical to HIPAA Compliance: OCR Announces $755,000 Settlement Action On April 19, 2016, the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”) reached a settlement in the amount of $755,000 with a North Carolina orthopedic clinic (“Clinic”) for failing to execute a business associate agreement with a thirdparty vendor. This is OCR’s second settlement this year related to business associate agreements, highlighting OCR’s efforts into investigating business associate relationships. OCR initiated its investigation following notification on April 30, 2013 of a breach where the Clinic disclosed protected health information (“PHI”) contained in xrays to a thirdparty vendor. The Clinic had orally agreed to allow this vendor to transfer xray images to electronic media in exchange for harvesting the silver from the xray films. Failing to execute a written business associate agreement, the Clinic gave the thirdparty vendor access to the PHI of 17,300 patients. OCR and the Clinic entered into a resolution agreement and corrective action plan that, in addition to the monetary payment, requires the Clinic to revise its business associates policies and procedures. The Clinic will also need to:
- designate one or more individuals with authority to enter into and monitor business associate agreements;
- create a process to determine which thirdparty vendor relationships fall under the business associate definition;
- create a process for negotiating business associate agreements;
- create a standard template for business associate agreements;
- create a process;
- create a document management system for business associate agreements;
- limit disclosures of PHI to the minimum amount that is reasonably necessary to allow business associates to perform their duties.
In a press release announcing the settlement, OCR Director Jocelyn Samuels emphasized that “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere checkthebox paperwork exercise” and that “it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” Practical Takeaways In light of this enforcement action and with Phase 2 HIPAA audits underway, covered entities need to take the following steps to ensure compliance with HIPAA’s business associate provisions:
- Review current business associate relationships and execute written agreements (if not already in place);
- Review current policies and procedures related to business associates to ensure there are individuals who are monitoring, negotiating and documenting business associate relationships.
More information on this enforcement action, including the resolution agreement and the OCR press release, is available here. If you have any questions, please contact: Posted on April 26, 2016 in Health Law, HIPAA Written by: Hall Render 5/19/2016 Hall Render – Main Blog http://blogs.hallrender.com/