Why You Need Business Associate Agreements

 Are you sure you have a business associate agreement (BAA) with every vendor or company to which you disclose protected health information (PHI)? A medical practice in Illinois in April paid a $31,000 fine because it didn’t have a BAA with one of its long-time vendors that went afoul of the law.

The Center for Children’s Digestive Health (CCDH) is a six-physician pediatric subspecialty practice that operates seven clinic locations in Illinois. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) initiated a compliance review of CCDH in 2015 after the Illinois attorney general sued the vendor, the medical records storage company FileFax, for violating state privacy laws and HIPAA.

According to various reports, FileFax discarded hundreds of files containing complete medical records in its unlocked, publicly accessible Dumpster. FileFax then gave permission to a Dumpster diver to take the paper for recycling. When the woman showed up at a document destruction company with the more than 1,000 pounds of paper, the company recognized it contained PHI and contacted the Illinois attorney general. FileFax, which is no longer in business, paid a $30,000 fine and turned over its list of clients to the attorney general.

None of CCDH’s records were among those compromised by FileFax, but when OCR looked for business associate agreements among the FileFax clients, CCDH came up lacking. According to OCR, although CCDH began “disclosing PHI” to FileFax in 2003, neither party could produce a signed business associate agreement.

What Can You Learn From CCDH’s Experience?

In addition to paying the fine, CCDH has to fulfill a two-year corrective action plan. “The settlement with OCR shows the interconnected nature of health care organizations, in more ways than one, and drives home the simple lesson, as OCR said in its announcement on April 20, that not having a BAA is a ‘mistake, ” said the Health Care Compliance Association. “It also emphasizes how OCR and the states may bring related enforcement actions.”

In his HIPAA Blog, Jeff Drummond, an attorney with Jackson Walker said, “This could … be an indication that OCR is interested in some ‘commodity’ style enforcement actions: Instead of rare but huge fines for egregious breaches, OCR may be looking to increase the number of settlements while reducing the dollar amounts, to encourage resolution of existing cases and increase compliance by making the possibility of a fine more likely, even though the dollar amount would be lower.”  

CCDH’s corrective action plan aims to prevent the practice from making its mistake again. Do you have similar safeguards in your practice? The plan requires in part that CCDH revise its policies and procedures, subject to OCR approval, to specify that the practice will:

  • Designate someone to make sure CCDH enters into a business associate agreement before disclosing any PHI to any current and future business associate;
  • Create a standard template for a BAA; and
  • Establish processes for:
    • Assessing business relationships to determine if they are with “business associates” as defined by HIPAA;
    • Negotiating and entering into BAAs, then maintaining documentation of a BAA for a least six years beyond the date of termination of the agreement; and
    • Limiting disclosures of PHI to business associates to the minimum necessary.

Further, CCDH must provide training to employees (and document it) about the policies and procedures.

TMA Can Help

TMA members can incorporate into their policies and procedures TMA’s business associate agreement template (log-in required). The sample BAA also is included in TMA’s customizable Policies and Procedures: A Guide for Medical Practices. The guide’s section on HIPAA contains policies and procedures relating to business associates and BAAs. See also: Are You Prepared for a Business Associate Breach?

Published May 25, 2017

TMA Practice E-Tips main page

Last Updated On

May 26, 2017

Originally Published On

May 25, 2017

Related Content

HIPAA