Large Monetary Penalty Underscores Need to Execute HIPAA Business Associate Agreements Prior to Sharing Protected Health Information
by: Stacey A. Borowicz, Sarah C. Persinger, PharmD, RPh of Dinsmore & Shohl LLP  -  Insight
Tuesday, April 26, 2016

The U.S. Department of Health and Human Services (HHS) announced on April 14, 2016 that a North Carolina healthcare clinic must pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by sharing protected health information (PHI) involving 17,000 of its patients without first executing a Business Associate Agreement (BAA) with a third-party vendor.

The settlement underscores the importance of the HIPAA requirement to obtain BAAs and shows it is more than a “check-the-box paperwork exercise”.1 The settlement should serve as a reminder to all Covered Entities of the potentially serious consequences that may arise from failure to comply with the HIPAA regulations.

In addition to the $750,000 payment, the clinic must:

  1. Establish a process to assess whether entities are business associates;

  2. Designate a responsible individual to assure BAAs are in place prior to disclosing any PHI to a business associate;

  3. Create a standard template BAA;

  4. Establish a standard process to maintain documentation of BAAs for at least six years beyond the date of termination of a business associate relationship; and

  5. Limit disclosure of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.

Model BAA language can be found on the HHS website.2


1 See here - $750,000 settlement highlights the need for HIPAA business associate agreements

2 See here - Business Associate Contracts

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins