Lack of Signed Business Associate Agreement Leads to $31,000 HIPAA Settlement | Practical Law

Lack of Signed Business Associate Agreement Leads to $31,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced a $31,000 settlement with a small, for-profit health provider for potential violations of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The enforcement action involved the lack of a signed HIPAA business associate agreement governing the relationship between the provider (a HIPAA covered entity) and its business associate.

Lack of Signed Business Associate Agreement Leads to $31, 000 HIPAA Settlement

Practical Law Legal Update w-007-7112 (Approx. 6 pages)

Lack of Signed Business Associate Agreement Leads to $31,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 21 Apr 2017USA (National/Federal)
The Department of Health and Human Services (HHS) has announced a $31,000 settlement with a small, for-profit health provider for potential violations of the Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA). The enforcement action involved the lack of a signed HIPAA business associate agreement governing the relationship between the provider (a HIPAA covered entity) and its business associate.
On April 20, 2017, HHS announced a $31,000 settlement agreement with a small for-profit, health care provider with a pediatric subspecialty practice that operates several clinics in Illinois, for potential violations of the HIPAA Privacy Rule (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Privacy Rule). The provider, a HIPAA covered entity, must also implement a corrective action plan (see Practice Note, HIPAA Enforcement and Group Health Plans: Penalties and Investigations).
HHS began a compliance review of the provider in August 2015, following an investigation of the provider's third-party vendor (and HIPAA business associate (BA)) that stored inactive medical records containing protected health information (PHI) of the provider's patients (see Standard Documents, HIPAA Business Associate Agreement and HIPAA Business Associate Policy, and Practice Note, HIPAA Business Associates and Cloud Computing for Group Health Plans). Although the provider began disclosing PHI to the vendor in 2003, neither party could produce a signed business associate agreement (BAA) governing the time before October 2015.
HHS's investigation indicated that the following conduct occurred:
  • The provider failed to obtain satisfactory assurances from the vendor, in the form of a written BAA, that the vendor would appropriately safeguard the PHI in its possession or control.
  • The provider impermissibly disclosed the PHI of more than 10,700 individuals to the vendor by transferring the PHI to the vendor without obtaining the vendor's satisfactory assurances, in the form of a written BAA.

Corrective Action Plan

In addition to the $31,000 payment, the provider must carry out a corrective action plan (CAP) focusing on specific compliance requirements.

Policies and Procedures

Regarding its written HIPAA policies and procedures, the provider must:
  • Develop, maintain, and revise the policies and procedures to comply with HIPAA's privacy and security standards, including to reflect minimum content requirements addressed under the CAP (see Practice Note, HIPAA Security Rule).
  • Send its policies and procedures to HHS for the government's review and approval.
  • Revise the policies and procedures for changes recommended by HHS in its review, and resubmit the policies and procedures to the government until they are approved.
  • Finalize and formally adopt the revised policies and procedures, consistent with the provider's administrative procedures, following HHS's final approval.
  • Distribute the policies and procedures to all members of the provider's workforce, and to new workforce members after they start working for the provider.
  • Collect signed and written or electronic initial compliance certifications from its workforce members stating that they have read, understand, and will follow the policies and procedures.
  • Evaluate, update, and revise its policies and procedures at least once every year (and more frequently, if appropriate).

Content Requirements Regarding Business Associate Agreements

Concerning BAA compliance, the provider's policies and procedures must provide for:
  • Designation of an individual (or individuals) to ensure that the provider enters into a BAA with each of its BAs before PHI is disclosed to the BA.
  • Creation of a standard template BAA.
  • A process for assessing current and future business relationships to determine whether each relationship is with a BA.
  • Procedures that address:
    • negotiating and entering into BAAs with BAs before disclosing PHI to the BAs;
    • maintaining documentation of BAAs for at least six years after the BA relationship terminates; and
    • limiting disclosures of PHI to BAs to the minimum amount necessary for the BAs to perform their duties.

Disclosure to HHS of the Provider's Business Associates

The CAP also requires the provider to disclose to HHS:
  • The names of all its BAs and/or vendors that create, receive, maintain, or transmit PHI on the provider's behalf.
  • Copies of the service agreements or BAAs that the provider maintains with its BAs and/or vendors.

Training

Regarding training (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials), the CAP requires the provider to:
  • Send HHS proposed training materials for its revised policies and procedures (as approved by HHS) for the government's review and approval. Similar to the process for its policies and procedures, the provider will need to revise and resubmit the training materials to reflect HHS's concerns until they are approved by HHS.
  • Provide documentation that:
    • all workforce members who have access to PHI have received the training, including on an annual basis going forward;
    • each of the provider's new workforce members with access to PHI receives the training within a specified time of beginning work; and
    • the provider reviews the training materials annually, and updates the training materials to reflect changes in federal law or HHS guidance, any issues discovered during audits or reviews, and other relevant developments.

Practical Impact

Under the HIPAA privacy and security rules for group health plans and other covered entities, the BAA is a keystone requirement from which other compliance obligations flow (both from the covered entity's and the BA's perspectives). Some of these compliance obligations reflect the expanded scope of who may be liable for HIPAA violations under the 2013 final "omnibus" regulations (see Legal Update, Final HIPAA Regulations Change Breach Notification Rules). For example, the HIPAA regulations require that a BAA between a HIPAA covered entity and its BA must provide that any subcontractors that create, receive, maintain, or transmit PHI on the BA's behalf agree to the same restrictions and conditions that apply to the BA regarding PHI.
Also, HHS's announcement of this latest settlement signals another, more easily overlooked aspect of BAA compliance – the agreement should be signed by both the covered entity and the BA so there is no question regarding the BAA's enforceability.