Two recent settlements by the Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) illustrate the importance of executing a business associate agreement (“BAA”). The first was on March 16, 2016 when OCR announced a $1.55 million settlement with a not-for-profit healthcare system in Minnesota for failing to enter into a BAA with a major vendor and not instituting “an organization-wide risk analysis to address the risks and vulnerabilities to its patient information.” The second, a $750,000 settlement,  announced in April involved an orthopedic clinic in Raleigh that disclosed protected health information (“PHI”) to a vendor without first executing a BA agreement.

Statutory and Regulatory Background

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Public Law 104-191, required the adoption of national standards for electronic health care transactions and codes sets, privacy protections for individually identifiable health information and security. The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) implemented HIPAA’s mandate to standardize the use and disclosure of individuals’ PHI, by covered entities, e.g., health plans, health care providers and health care clearinghouses. The Privacy Rule recognizes that most health care providers and plans do not perform all of their healthcare functions and, therefore, allows for covered entities to disclose PHI to business associates (“BA”) when satisfactory assurances are made by the BA to safeguard the PHI received or created by the covered entity. The Privacy Rule requires that prior to disclosing PHI to a BA, the covered entity must first enter into a written business associate agreement.

What is a Business Associate Agreement?

A business associate is a person or organization, e.g., a third-party vendor, that performs certain functions or activities on behalf of or provides services to a covered entity involving the use or disclosure of PHI. Generally, these functions can include claims processing, legal, accounting or consulting services, data analytics, quality assurance, etc.

Business associate agreements are legal contracts that outline how a business associate will handle the covered entity’s PHI and ePHI and the responsibilities of each party.

Key Takeaways Regarding BAAs

These two recent settlements demonstrate OCR’s intent to enforce the BAA requirement. Key takeaways from OCR’s enforcement actions include:

1. Covered entities must have a HIPAA compliant BAA with all third-party vendors who create, receive, maintain, or transmit PHI/ePHI on its behalf.
2. The BAA must be executed PRIOR to disclosing PHI/ePHI to the BA.
3. Covered entities and BAs should take the necessary steps to ensure full compliance with HIPAA.
4. OCR will enforce the BA requirement under HIPAA.
5. Penalties for lack of compliance can be costly