August 13, 2020

Volume X, Number 226

August 13, 2020

Subscribe to Latest Legal News and Analysis

August 12, 2020

Subscribe to Latest Legal News and Analysis

August 11, 2020

Subscribe to Latest Legal News and Analysis

August 10, 2020

Subscribe to Latest Legal News and Analysis

Large Monetary Penalty Underscores Need to Execute HIPAA Business Associate Agreements Prior to Sharing Protected Health Information

The U.S. Department of Health and Human Services (HHS) announced on April 14, 2016 that a North Carolina healthcare clinic must pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by sharing protected health information (PHI) involving 17,000 of its patients without first executing a Business Associate Agreement (BAA) with a third-party vendor.

The settlement underscores the importance of the HIPAA requirement to obtain BAAs and shows it is more than a “check-the-box paperwork exercise”.1 The settlement should serve as a reminder to all Covered Entities of the potentially serious consequences that may arise from failure to comply with the HIPAA regulations.

In addition to the $750,000 payment, the clinic must:

  1. Establish a process to assess whether entities are business associates;

  2. Designate a responsible individual to assure BAAs are in place prior to disclosing any PHI to a business associate;

  3. Create a standard template BAA;

  4. Establish a standard process to maintain documentation of BAAs for at least six years beyond the date of termination of a business associate relationship; and

  5. Limit disclosure of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.

Model BAA language can be found on the HHS website.2

1 See here - $750,000 settlement highlights the need for HIPAA business associate agreements

2 See here - Business Associate Contracts

© 2020 Dinsmore & Shohl LLP. All rights reserved.National Law Review, Volume VI, Number 117


About this Author

Stacey A. Borowicz, Regulatory, Health care industry, attorney, Dinsmore Shohl,

Stacey Borowicz is an accomplished attorney who dedicates the majority of her business and regulatory practice to health care providers. Stacey brings with her more than a decade of front line experience in the health care industry as she acquired a rare set of skills as a medical researcher/scientist prior to entering the practice of law.

Stacey's experience in the healthcare representation is diverse and includes Medicare/Medicaid audit and overpayment appeals, voluntary disclosures and refunds. Stacey also brings a wealth of experience in...

Sarah C. Persinger PharmD RPh, managed care lawyer & pharmacy benefits management attorney at Dinsmore Law Firm

Sarah is a member of our Health Care Practice Group. She holds a Doctor of Pharmacy degree and is a registered pharmacist with extensive pharmacy practice experience and a working knowledge of regulatory affairs. She has managed health system pharmacy compliance with Ohio State Board of Pharmacy, DEA, and CMS regulations, the federal 340B Drug Discount Program, USP 797 and FDA Sterile Compounding requirements, and Joint Commission and HFAP Accreditation standards. 

Sarah has a strong working knowledge of specialty pharmacy, managed care and pharmacy benefits management, HIPAA and healthcare information security, and trade association industry relations, as well as work experience in the retail, hospital, and long-term care pharmacy practice settings. 

Her experience enables her to provide comprehensive and strategic legal and compliance counsel to a wide variety of healthcare clients who operate in a complex and quickly-evolving regulatory environment. Sarah also provides legal services and advice throughout the lifecycle of complex healthcare transactions, and leverages her previous experience practicing pharmacy and managing health system pharmacy compliance, along with relationships she has developed with staff, members, and executive leaders of the Board of Pharmacy, to assist clients with obtaining licensure and navigating the board’s administrative hearing process.

Sarah has served as an adjunct professor at Ohio Northern University and visiting lecturer at Cedarville University, teaching about the legal and regulatory environment of the pharmaceutical industry and the profession of pharmacy.

(614) 628-6979