by Wyn Staheli, Director of Research
April 13th, 2016
It is important for providers to understand the critical nature of the Business Associate Agreement (BAA). Far too many healthcare providers are neglecting this component of HIPAA, which can be a costly mistake. For years providers have been warned that if they are a HIPAA Covered Entity (CE) they MUST have properly executed BAAs for all their business associates. Failure to do so could cost millions. Penalties begin at $50,000 per violation with a maximum of $1.5 million per year for repeats of the same violation. The Department of Health and Human Services (HHS) is required to impose these penalties when violations are found to be willful. Additionally, even though there is currently no system through which victims of unlawful HIPAA disclosure can be compensated, there are discussions underway to enable victims to receive a portion of the penalties collected. Additionally, CE's are responsible for monitoring their BAAs and enforcing protections, reporting violations, and if the BAAs do not follow the protocols, the CE's must report terminate the relationship and report them.
On March 16, 2016, the OCR made the following announcement (emphasis added):
$1.55 million settlement underscores the importance of executing HIPAA business associate agreements
North Memorial Health Care of Minnesota has agreed to pay $1,550,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to implement a Business Associate Agreement (BAA) with a major contractor and failing to institute an organization-wide risk analysis to address the risks and vulnerabilities to its patient information. North Memorial is a comprehensive, not-for-profit health care system in Minnesota that serves the Twin Cities and surrounding communities.
“Two major cornerstones of the HIPAA Rules were overlooked by this entity,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “Organizations must have in place compliant business associate agreements as well as an accurate and thorough risk analysis that addresses their enterprise-wide IT infrastructure.”
OCR initiated its investigation of North Memorial following receipt of a breach report on September 27, 2011, which indicated that an unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the electronic protected health information (ePHI) of 9,497 individuals.
OCR’s investigation indicated that North Memorial failed to have in place a business associate agreement, as required under the HIPAA Privacy and Security Rules, so that its business associate could perform certain payment and health care operations activities on its behalf. North Memorial gave its business associate, Accretive, access to North Memorial’s hospital database, which stored the ePHI of 289,904 patients. Accretive also received access to non-electronic protected health information as it performed services on-site at North Memorial.
The investigation further determined that North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed, or transmitted across its entire IT infrastructure -- including but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes.
If you have not already done so, review all your business arrangements and current contracts. Do you have a properly executed BAA with ANY entity which has access to your PHI? If not, take action today! Do not assume that someone else is taking care of it and that the BAA has taken the proper measures. It is your responsibility to ask questions and follow up. For those who lack BAAs, an updatable form is available to those who purchase HIPAA Compliance.