Who has the obligation to assure that a HIPAA Business Associate Agreement (“BAA”) has been executed and updated as necessary? The Office of Civil Rights of the U.S. Department of Health and Services (“OCR”) recently clarified this issue, or radically altered prevailing thinking on it depending on one’s perspective. In a press release on September 23, 2016, OCR announced the first penalty proceeding against a Business Associate for failure to assure that a BAA is in place. It announced a $400,000 settlement of a penalty proceeding against a Business Associate for failure to have a BAA in place with a hospital and assure that the BAA has been updated and is current. All HIPAA Business Associates should take notice and review their relationships with the providers, health plans and entities that provide services to providers and plans.
HIPAA Business Associates are, as defined in the regulations, entities or individuals who access identifiable patient information (condition, treatment or billing) in order to provide a service to a healthcare provider or health plan. Business Associates may include IT service providers, billing and operations consultants, healthcare software developers, attorneys and accountants. Business Associates are required to protect identifiable patient information as required by the HIPAA Security Rule and certain provisions of the HIPAA Privacy Rule. They are required by HIPAA to sign contracts with their provider, plan or other Business Associate customers, known as HIPAA Business Associate Agreements, in which they agree to protect patient information as required by the pertinent HIPAA Rules. Business Associates are also under the direct jurisdiction of OCR, as are providers and plans, with regard to proceedings for HIPAA violations.
The penalty, $400,000, was imposed on Care New England (“CNE”), an entity that owns a number of hospitals and also provides administrative and operational support for those hospitals. The penalty was levied against CNE in its capacity as a Business Associate for failure to obtain a BAA in one instance, and to update an existing BAA in another. This is a very unusual finding in that OCR could perhaps have proceeded against CNE as a Covered Entity but chose, instead, to penalize it as BAA. Perhaps OCR seeks to send a message to Business Associates that they, too, have an obligation to make sure a BAA is in place and is current.
The underlying incident was the loss of unencrypted backup tapes from one of CNE’s hospitals. The Massachusetts Attorney General levied penalties against the hospital for violations of the Massachusetts Standards for the Protection of Personal Information of Residents of the Commonwealth and so OCR decided not to “pile on” the hospital with additional HIPAA penalties. In addition, the Massachusetts Standards are stricter than HIPAA.
Business Associates should quickly review their relationships and contracts with their healthcare customers and clients and assess their information safeguards. If you have questions regarding these HIPAA requirements for your organization please contact Kenneth N. Rashbaum.