The U.S. Department of Health and Human Services (HHS) announced on April 14, 2016 that a North Carolina healthcare clinic must pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by sharing protected health information (PHI) involving 17,000 of its patients without first executing a Business Associate Agreement (BAA) with a third-party vendor.
The settlement underscores the importance of the HIPAA requirement to obtain BAAs and shows it is more than a “check-the-box paperwork exercise”.1 The settlement should serve as a reminder to all Covered Entities of the potentially serious consequences that may arise from failure to comply with the HIPAA regulations.
In addition to the $750,000 payment, the clinic must:
- Establish a process to assess whether entities are business associates;
- Designate a responsible individual to assure BAAs are in place prior to disclosing any PHI to a business associate;
- Create a standard template BAA;
- Establish a standard process to maintain documentation of BAAs for at least six years beyond the date of termination of a business associate relationship; and
- Limit disclosure of PHI to the minimum necessary to accomplish the purpose for which the business associate was hired.
Model BAA language can be found on the HHS website.2