The need for Business Associate Agreements (BAAs) is not a new one. They have been required since the inception of HIPAA. As the HHS Office for Civil Rights (OCR) has increased its enforcement efforts of HIPAA compliance, organizations that are required to be compliant with HIPAA, should review their business associate lists to verify that every business associate has a BAA in place.
Yesterday (April 20, 2017), the OCR announced a settlement of $31,000 with a non-profit located in Illinois. The non-profit had failed to enter into a BAA with one of its vendors that stores records containing PHI.
Settlement cases cost far greater than the amount owed to the OCR as a result of the compliance deficiency. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a Corrective Action Plan (CAP). CAPs can be extensive, particularly for small organizations.
In the case of the Illinois non-profit, they have to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. This will be a costly and time consuming endeavor for the organization. In addition to creating policies and training their staff, the organization also is required to make annual reports to the OCR on their compliance status.
Not only does this organization have to pay the OCR $31,000 and pay to create policies and train their staff, the organization also faces potential a reputation impact which could cost the organization further.
Some organizations struggle with identifying their business associates. Examples of potential business associates include (but is not limited to):
- EMR/Practice Management (billing) software companies
- Consultants that have access to PHI
- Outside IT vendors
- Outside Billing Company
- Leased Copier/Printer/Scanner (if the device has a hard drive)
- Record Storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
For more information on BAAs, visit: https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html
Happy HIPAA trekking!