Business Associate Agreements Are Essential to HIPAA Compliance

If you’re familiar with the Health Insurance Portability and Accountability Act (HIPAA), you may know that covered entities cannot disclose protected health information (PHI) to unauthorized persons. However, covered entities often work with third parties and need to disclose PHI to these non-covered entities for business reasons. HIPAA allows for covered entities to make these business-related disclosures—but the covered entity and the business associate need to formalize a relationship via a written business associate agreement first.

A business associate agreement is a contract that codifies the relationship of the covered entity to the business associate. A business associate is a person or entity that provides services to, performs work on behalf of, or otherwise touches PHI when working with a HIPAA covered entity. The written agreement specifies permissible uses and disclosures of PHI by the business associate, states that the business associate will comply with HIPAA requirements, includes information about procedures that will be followed in case of a HIPAA breach, and specifies how PHI will be handled upon termination of the covered entity’s relationship with the business associate. The Department of Health and Human Services (HHS) provides sample provisions for a business associate agreement, though many covered entities use individually tailored agreements.

Handing over PHI to an unauthorized person or entity is a violation of HIPAA. Last week, HHS fined a North Carolina provider, Raleigh Orthopaedic Clinic, $750,000 for violating this rule. The clinic released X-ray films and related PHI for 17,300 patients to a third-party company in order for the third-party company to digitize those records. This transaction was arranged via an oral agreement. However, because the clinic and the third-party company didn’t have a written business associate agreement in place, the clinic caused a HIPAA breach by releasing PHI to an unauthorized entity.

In addition to the $750,000 fine, Raleigh Orthopaedic must undergo a two-year corrective action plan and take actions including revising HIPAA policies and procedures, reviewing current business associate agreements and retraining employees.

To add insult to injury, the clinic never received the digitized PHI from the vendor. Instead of digitizing the PHI, the third-party company simply sold the X-ray films to a recycling company, which extracted and sold the silver from the X-ray films before apparently destroying the PHI.

Last month, HHS fined a Minnesota healthcare system $1,550,000 for failing to conduct a risk assessment and failing to execute a written associate agreement with a third-party billing company. The third-party billing company was not authorized to receive PHI but was given access to PHI of almost 300,000 patients for over six months before a business associate agreement was finally signed.

Jocelyn Samuels, Director of HHS Office for Civil Rights, stated: “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise. It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” As these two recent actions show, failing to execute a business associate agreement can be an expensive mistake.

About The Boon Group

The Boon Group® is a full service employee benefits company specializing in the design, implementation and administration of cost-effective fringe benefit plans for federal, state and local government contractors. Since 1982, The Boon Group has developed a partnership philosophy that expands beyond the products and services we offer. We stand with the employers and employees who, just like all who work at The Boon Group, are faced with the daunting task of navigating the U.S. healthcare system. Together, we can find a better way for all Americans to access healthcare. The Boon Group, Inc. is the parent holding company of The Boon Insurance Agency, Inc., Boon Administrative Services, Inc. (formerly named CEBA), Boon Insurance Management Services, L.P., Health & Welfare Benefit Systems, Inc. and Boon Investment Group, Inc. The Boon Group was formed to support and strengthen the position of these companies as a wholesaler of exclusive products and services.
This entry was posted in compliance, HIPAA, PHI, protected health information and tagged , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s