Are Your Business Associate Agreements In Place?

Jeffrey Cairns
Stinson - Benefits Notes Blog
Contact
LinkedIn
Facebook
X
Send
Embed

HHS Announces Significant Settlement Agreements for Noncompliance

On December 4 and December 11, 2018, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued press releases announcing two settlements with health care providers for violation of the Health Insurance Portability and Accountability Act’s (HIPAA) privacy and security rules. Specifically, the releases reported data breaches and failures to have Business Associate Agreements (BAs) in place with contractors having access to personal health information (PHI).

The first involved an entity called Advanced Care Hospitalists PL (ACH), which agreed to pay a $500,000 penalty for contracting with a fraudulent billing company and not entering into a Business Associate Agreement with the contractor. In 2014, a hospital notified ACH that its patient information was viewable on the contractor’s (First Choice) website. ACH filed a breach report with OCR reporting 400 affected patients. Later it was determined that an additional 8,855 patients could have had data revealed. In addition to the penalty, ACH agreed to implement privacy and security procedures and Business Associate Agreements with all contracting entities with access to patient data.

On December 11, 2018, OCR issued a second press release concerning Pagosa Springs Medical Center (PSMC), which agreed to pay a $111,400 penalty when it was discovered that a former PSMC employee, after termination, continued to have remote access to PSMC’s web-based scheduling calendar, which contained patients’ electronic protected information (ePHI). Failing to revoke the former employee’s access was found to be a violation of the privacy and security rules, and failure to have a Business Associate Agreement with the software company sponsoring the calendaring system (Google) was also deemed a violation.

These violations were brought to the attention of the OCR based upon the reporting requirements of the discovered data breaches. This reporting triggered additional HHS auditing for compliance with the HIPAA rules. The Employee Benefit Security Administration (EBSA) also examines HIPAA compliance during its investigation of employer sponsored health plans. These cases provide a reminder for covered entities to be diligent about keeping privacy and securities policies and procedures up to date and ensure that they are followed. As these examples demonstrate, the penalties for noncompliance with the Business Associate Agreement and privacy and security rules can lead to significant penalties.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Stinson - Benefits Notes Blog

Written by:

Stinson - Benefits Notes Blog
Stinson - Benefits Notes Blog
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Stinson - Benefits Notes Blog on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide