Two Recent HIPAA Breach Cases Highlight Importance of Compliant Business Associate Agreement

Companies that handle personal health information (PHI) that are subject to HIPAA rules often enter into business associate agreements. This includes companies handling electronic records for hospitals, transferring information to insurance companies, storing HIPAA data, and much more. All covered entities, including health plans, hospitals, and insurance companies, under HIPAA must have business associate agreements in place with anyone who handles PHI. This helps maintain security and compliance with HIPAA.

Business associate agreements cover what information is disclosed, how the provider will be using the information, how the information will be stored and secured, and what steps will be taken in the event of an issue. Keeping these business associate agreements up-to-date and compliant is one of dozens of parts of HIPAA compliance that covered entities have to handle. The importance of these agreements is regularly highlighted in HIPAA breach cases.

PHI Data Breach

Despite no evidence of actual harm, recent government crackdown on healthcare companies when data breaches occur show that problems often lie with out-of-date agreements. Data breaches occur in a number of different ways, from malicious hacks to honest mistakes made by employees. In each of these cases, however, there are certain steps that must be taken to rectify the situation.

When a breach occurs, if it affects 500 or more individuals, it must be reported to both state and federal agencies who oversee and investigate HIPAA compliance. In recent situations, HHS noticed and focused on the fact that the business associate agreements and the processes they outlined between the healthcare providers and the data processing and storage companies were out of date or nonexistent.

Care New England Health Systems agreed to a $400,000 settlement after a business associate agreement to provide technical and information support to Women’s & Infants Hospital of Rhode Island was found to be out of date. In 2012, the hospital had to report the loss of unencrypted backup tapes containing electronic PHI. Upon investigation, it was discovered that the business associate agreement was out of date and thus the electronic PHI was disclosed to the business associate improperly.

Meanwhile in Florida, Advanced Care Hospitalists PL has agreed to a $500,000 fine after sharing PHI with a vendor before putting a business associate agreement in place. This settlement was reached at the end of 2018 and highlights the importance of paying attention to records and contracts between parties before work commences.

New Rules on Business Associate Agreements

In September 2013, HIPAA’s Omnibus Final Rule went into effect, including certain mandatory requirements for business associate agreements. Mostly, the provisions related to agreements are designed to both strengthen privacy requirements and make sure patients are aware of their rights, including the right to request a copy of their records in electronic form. Another right is that patients who pay for the costs of their care out of pocket can restrict the disclosure of PHI. These rights must be included in the business associate agreements so that business partners are aware of these requirements.

Further, business associate agreements must require the business associate to determine a breach’s “risk of compromise” to PHI it has in its possession. This is different from determining the risk of “harm.” The agreement should also include mitigation strategies to ensure that, when a breach occurs, appropriate steps are taken to limit the information compromised and all required parties are notified.

Keeping on top of HIPAA compliance as businesses change and grow and making sure all the appropriate paperwork, policies, procedures, and agreements are in place is part of what we do at Hall Benefits Law. Learn more about HIPAA compliance and business associate agreements by calling 678-439-6236 or visiting the Hall Benefits Law website.

The following two tabs change content below.

Hall Benefits Law, LLC

HBL offers employers comprehensive legal guidance on benefits in mergers and acquisitions, Employee Stock Ownership Plans (ESOPs), executive compensation, health and welfare benefits, healthcare reform, and retirement plans. We counsel a wide spectrum of clients including small, mid-sized, and large companies, 401(k) investment advisors, health insurance brokers, accountants, attorneys, and HR consultants, just to name a few. HBL is passionate about advising clients, and we are dedicated to our mission: to provide comprehensive, personalized, and practical ERISA and benefits legal solutions that exceed client expectations.

Latest posts by Hall Benefits Law, LLC (see all)