[BreachExchange] Are Your Business Associate Agreements In Place?

[Destry Winant]

https://www.jdsupra.com/legalnews/are-your-business-associate-agreements-73150/

HHS Announces Significant Settlement Agreements for Noncompliance

On December 4 and December 11, 2018, the U.S. Department of Health and
Human Services’ (HHS) Office for Civil Rights (OCR) issued press
releases announcing two settlements with health care providers for
violation of the Health Insurance Portability and Accountability Act’s
(HIPAA) privacy and security rules. Specifically, the releases
reported data breaches and failures to have Business Associate
Agreements (BAs) in place with contractors having access to personal
health information (PHI).

The first involved an entity called Advanced Care Hospitalists PL
(ACH), which agreed to pay a $500,000 penalty for contracting with a
fraudulent billing company and not entering into a Business Associate
Agreement with the contractor. In 2014, a hospital notified ACH that
its patient information was viewable on the contractor’s (First
Choice) website. ACH filed a breach report with OCR reporting 400
affected patients. Later it was determined that an additional 8,855
patients could have had data revealed. In addition to the penalty, ACH
agreed to implement privacy and security procedures and Business
Associate Agreements with all contracting entities with access to
patient data.

On December 11, 2018, OCR issued a second press release concerning
Pagosa Springs Medical Center (PSMC), which agreed to pay a $111,400
penalty when it was discovered that a former PSMC employee, after
termination, continued to have remote access to PSMC’s web-based
scheduling calendar, which contained patients’ electronic protected
information (ePHI). Failing to revoke the former employee’s access was
found to be a violation of the privacy and security rules, and failure
to have a Business Associate Agreement with the software company
sponsoring the calendaring system (Google) was also deemed a
violation.

These violations were brought to the attention of the OCR based upon
the reporting requirements of the discovered data breaches. This
reporting triggered additional HHS auditing for compliance with the
HIPAA rules. The Employee Benefit Security Administration (EBSA) also
examines HIPAA compliance during its investigation of employer
sponsored health plans. These cases provide a reminder for covered
entities to be diligent about keeping privacy and securities policies
and procedures up to date and ensure that they are followed. As these
examples demonstrate, the penalties for noncompliance with the
Business Associate Agreement and privacy and security rules can lead
to significant penalties.