Late last month, the Office for Civil Rights (OCR) issued details of yet another HIPAA breach settlement. This time, though, the breach demonstrated the need to periodically review and update business associate agreements (BAA) to ensure ongoing compliance.
Here are the settlement details and how to verify your BAAs are HIPAA-compliant.
On September 23, 2016, the OCR confirmed that a $400,000 settlement had been reached with Care New England Health System (CNE). CNE is a business associate who offers corporate support, such as technical and IT support, to a number of covered entities including Women & Infants Hospital of Rhode Island (WIH).
In November 2012, WIH reported the loss of ultrasound backup tapes containing the unencrypted PHI of approximately 14,000 patients. During the investigation, it was found that WIH disclosed PHI to CNE, allowing the business associate to create, receive, maintain, or transmit the PHI without a valid written BAA.
The agreement on file was originally dated March 15, 2005. The agreement was not updated until the investigation proceedings in August 2015 and did not include the revisions that are required under the HIPAA Omnibus Final Rule.
According to OCR Director Jocelyn Samuels, "The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting. This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule," said Samuels.
For its part, WIH previously reached a settlement of $150,000 with the Massachusetts Attorney General's Office.
If you haven't yet reviewed and updated your vendor BAAs, now is the time to do so.
1. Identify all business associates. More specifically, identify those who have the ability to access and utilize your patients' PHI. Remember that the HIPAA Omnibus Final Rule redefined 'business associate' to include a "subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate."
2. Review existing BAAs. Review the existing BAAs for each of the vendors identified above. If the contract is dated prior to the Final Rule's effective and/or compliance dates (March 26, 2013, and September 23, 2013, respectively), then new contracts may be required.
3. Draft new BAAs. If you need to draft a new BAA, the OCR offers a sample business associate agreement that can be helpful. Once completed, have all vendors sign the new copy and keep the document on file.
4. Review BAAs annually. It's a good idea to review all vendor agreements annually to ensure they remain HIPAA-compliant. This can also be a good time to audit vendors to confirm they are operating within HIPAA guidelines. At a bare minimum, you will want to verify that vendors have written HIPAA policies and procedures and have documented the completion of a HIPAA risk assessment within the last 12 months.
While this process may seem burdensome, the recent settlement with Care New England Health System demonstrates the importance of completing BAA reviews — not only for the safety of patients' PHI but also for the fiscal health of the organization.
Have you updated your business associate agreements? How often do you review them? Please join the conversation below.