Yesterday (April 20, 2017), the Office for Civil Rights (OCR) announced a settlement of $31,000 with an Illinois nonprofit. The nonprofit had failed to enter into a business associate agreement (BAA) with one of its vendors that stores records containing protected health information (PHI), which is a HIPAA violation.
Settlements are costly. When an organization settles with the OCR for a HIPAA violation, the organization is placed on a corrective action plan (CAP). CAPs can be extensive, especially for small organizations. Not only does the Illinois nonprofit have to pay the OCR $31,000, but it has to create policies and procedures within 60 days and train their staff within 30 days of finalizing the policies. Additionally, the organization must send annual reports on their compliance status to the OCR. Furthermore, there’s an unseen cost in the damage to the nonprofit’s reputation.
Therefore, to avoid these penalties, it’s extremely important for your organization to create business associate agreements with any vendors that create, maintain, receive, or transmit PHI.
Who is a Business Associate?
Although HIPAA has always required BAAs, organizations still struggle to identify their business associates. Some BAs may include:
- Electronic medical record (EMR) software companies
- Consultants that have access to PHI
- IT vendors
- External billing companies
- Leased copier/printer/scanner (if the device has a hard drive)
- Record storage companies
- Any other software, consultant, or vendor that accesses, stores, or transmits PHI
Although business associate agreements are required, they don’t have to be a chore. Using HIPAAtrek, you can create a business associate agreement from a template and share it with your business associates. HIPAAtrek is the only software with this capability. Contact us to learn more.
Need Guidance? Check out our Business Associate Decision Tree!
Download our decision tree for determining when a BAA is required.