The U.S. Department of Health and Human Services (HHS) announced on April 14, 2016 that a North Carolina healthcare clinic must pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by sharing protected health information (PHI) involving 17,000 of its patients without first executing a Business Associate Agreement (BAA) with a third-party vendor.

The settlement underscores the importance of the HIPAA requirement to obtain BAAs and shows it is more than a “check-the-box paperwork exercise”.1 The settlement should serve as a reminder to all Covered Entities of the potentially serious consequences that may arise from failure to comply with the HIPAA regulations.

In addition to the $750,000 payment, the clinic must:

  1. Establish a process to assess whether entities are business associates;
  2. Designate a responsible individual to assure BAAs are in place prior to disclosing any PHI to a business associate;
  3. Create a standard template BAA;
  4. Establish a standard process to maintain documentation of BAAs for at least six years beyond the date of termination of a business associate relationship; and
  5. Limit disclosure of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.

Model BAA language can be found on the HHS website.2