A Capehart Scatchard Blog

The Importance of Having an Updated Business Associate Agreement

By on October 4, 2016 in HIPAA with 0 Comments

As part of its increased enforcement efforts, the Office of Civil Rights of the US Department of Health and Human Services (OCR) recently entered into a $400,000 settlement with a Rhode Island hospital for failure to update its business associate agreement as required under the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA).  This settlement brings the total of HIPAA security and privacy violation fines/settlements to more than $20 million this year, a dramatic increase from $6.2 million in all of 2015.

In short, in late 2012 the hospital alerted federal authorities that it lost unencrypted backup tapes containing ultrasounds for over 14,000 women, which included patient names, social security numbers, and dates of birth.

The hospital’s information technology and information security services were conducted by its parent company.  The parent company and the hospital, a subsidiary, were utilizing a business associate agreement effective March 15, 2005. This agreement was not updated until August 28, 2015, and thus did not include revisions mandated under the HIPAA Omnibus Final Rule.

Specifically, the $400,000 settlement, effectively a fine, was due to the hospital’s failure to “obtain satisfactory assurances as required under HIPAA,” in the form of a written business associate agreement that the parent company would safeguard the hospital’s PHI.  An additional $150,000 was paid to the Massachusetts Attorney General’s Office in response to a state investigation relating to the underlying data breach.

“This case illustrates the vital importance of reviewing and updating as necessary business associate agreements, especially in light of required revisions under the Omnibus Final Rule,” said OCR Director Jocelyn Samuels. “The Omnibus Final Rule outlined necessary changes to established business associate agreements and new requirements which include provisions for reporting.”

With the significant increase in data theft, it is clear that the OCR is ramping up its enforcement efforts and accompanying fines. This is to ensure that covered entities and business associates not only employ the appropriate physical and digital safeguards to properly protect patients’ PHI, but that they also keep abreast of changing HIPAA requirements. This guarantees that their written agreements reflect current regulation.  As such, covered entities must be vigilant and regularly reassess their business associate agreements, and other agreements, with vendors, subcontractors, and others that may qualify as business associates, to ensure compliance with changes to HIPAA.


Questions regarding this article may be sent to Publications@Capehart.com.


About the Author

About the Author: .

Post a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.