A Business Associate Agreement (BAA) is not optional. If you have a vendor who performs certain functions or activities involving protected health information (PHI), you must have a signed BAA in place. Recently the U.S. Department of Health and Human Services (HHS) has been reinforcing BAA requirements and issued settlements totaling$23 million in 2016.
$31K Mistake for "No Business Associate Agreement"
According to the Office for Civil Rights (OCR) announcement, titled No Business Associate Agreement? $31K Mistake, a compliance review was initiated with the Center for Children's Digestive Health (CCDH) following an investigation of a business associate, FileFax, Inc., which stored records containing protected health information (PHI) for CCDH.
The announcement goes on to say the investigation revealed that:
- PHI was disclosed by CCDH to Filefax beginning in 2003
- Neither party could produce a signed BAA prior to October 2015.
$400,000 Settlement for Failure to Maintain BAA
One particular case that stands out is Care New England Health System (CNE). Investigation showed CNE failed to keep PHI secure because they did not have current business associate agreements in place. OCR uncovered 14,000 individuals records were compromised when they lost encryptedultrasound studies. As a result, CNE agreed to a settlement of $400,000 for failure to maintainBAA.
$650,000 Settlement for Catholic Health Care Services of the Archdiocese of Philadelphia
In June 2016, Catholic Health Care Services of the Archdiocese of Philadelphia(CHCS) agreed to a $650,000 settlement for lacking necessary BAAs. CHCS provided information technology and management services as a BA to six skilled nursing facilities. In February 2014, OCR received separate notifications from each of the nursing facilities that a mobile device was stolen, which could potentially compromise 412 individuals' information. Investigation showed that not only was CHCS lacking the necessary BAA, they had not conducted an accurate and through assessment of the potential risks and vulnerabilities of ePHI.
Important Lesson
Settlements like these continue to show the importance of having a signed BAA in place. Conducting regular and comprehensive risk analyses can prevent serious mistakes and ensure your organization is protecting PHI.
Don't let your organization fall behind on BAA! Conduct a routine audit to ensure your facility has implemented the proper security measures necessary, and you have a signed BAA in place for each vendor.
If you have any questions please do not hesitate to contact us by phone 1-855-427-0427 or email[email protected].