The U.S. Department of Health and Human Services Office for Civil Rights (“OCR”), which enforces the HIPAA privacy and security rules, recently reached a $31,000 settlement with a pediatric subspecialty practice (“Practice”) that failed to document that it had a business associate agreement (“BAA”) with a medical record storage vendor. The Practice and the vendor had a long-standing business relationship that started in 2003, and during the course of the relationship the Practice shared the protected health information (“PHI”) of over 10,000 patients with the vendor.
OCR’s investigation was initially focused on the business associate storage vendor itself, not on the Practice, and in the course of the investigation OCR discovered that it was only in 2015 that the parties finally got around to entering into a BAA. Neither the OCR news release nor the resolution agreement entered into with the Practice indicated that there was any further breach of the Practice’s PHI — they simply noted the absence of a timely signed BAA. Nevertheless, the investigation of the vendor appears to have been triggered by an incident involving a possible breach of the PHI of another client of the vendor. The resolution agreement requires that the Practice implement a corrective action plan that includes updating policies and procedures relating to business associates and BAAs, as well as additional training of Practice workforce members.
This latest in a string of recent OCR settlements serves as a reminder that entering into a BAA with a business associate is not just a formality for covered entities. Rather, HIPAA requires covered entities to obtain satisfactory assurances from their business associates that they will appropriately safeguard the covered entities’ PHI, which must be documented in a BAA. As OCR continues its HIPAA privacy, security and breach notification audit program, covered entities should ensure that they are keeping master lists of their business associates and related BAAs.