Want to Save $750,000? It’s Easy – Make Sure You Have A Business Associate Agreement In Place Before You Send PHI To Your Vendor. (You’re Welcome)
“I’m sure we have a Business Associate Agreement on file.” And I’m sure we have all said this before with 100% certainty. But here is a free tip: better double check or it will cost you! The United States Department of Health and Human Services, Office for Civil Rights (HHS) and Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) recently entered into a settlement agreement that required Raleigh Orthopaedic to pay $750,000 for sending approximately 17,300 patient records to a vendor without first executing a business associate agreement (BAA). HHS became aware that Raleigh Orthopaedic had disclosed PHI without a BAA in place following the receipt of a breach report from Raleigh Orthopaedic.
In addition to the $750,000 monetary payment, the settlement also required Raleigh Orthopaedic to implement a substantial corrective action plan. The corrective action plan requires Raleigh Orthopaedic to:
- Provide HHS with a list of all of its business associates
- Provide HHS with copies of all BAAs
- Revise its policies and procedures to establish a process for assessing whether entities are business associates; designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate; create a standard template BAA; establish a standard process for maintaining documentation of BAAs for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired
- Retrain workforce members on the revised policies and procedures (training materials must be approved by HHS)
- Notify HHS of any “reportable events,” which includes violations of Raleigh Orthopaedic’s policies and procedures by workforce members
- Submit Annual Reports to HHS addressing Raleigh Orthopaedic’s compliance with the corrective action plan
So if you don’t have an extra $750,000 just sitting around, you may want to take some time to peruse your vendor list to make sure that you have entered into a BAA with all vendors who create, receive, maintain, or transmit PHI on your behalf. And for all you business associates out there — you need to do the same! Remember, OCR can go after you directly now. Make sure you are tracking the BAAs you need to have in place and make sure you have executed copies!