HHS Sends a Clear Message Concerning Business Associate Agreements: Close is Not Good Enough!

This month, via a notice of settlement to its listserv, Health and Human Services’ (“HHS”) Office for Civil Rights sent a clear message to providers that they must review and update their business associate agreements (“BAA”) as necessary to ensure the Agreements contain every element required by law or face being fined.

What Happened?

Failing to update a BAA cost Care New England Health System (“CNE”) $550,000 and the burdens associated with being subject to a Corrective Action Plan. CNE, a subsidiary of Women & Infants Hospital of Rhode Island (“WIH”), performs a variety of functions for WIH, including finance, human resources, compliance, and administrative functions. WIH executed a BAA with CNE effective March 15, 2005. However, WIH never updated the BAA to incorporate revisions required later under the HIPAA Omnibus Final Rule.

WIH reported to HHS on November 5, 2012 that it lost unencrypted backup tapes containing the protected health information (“PHI”) of some 14,000 patients, including in some instances Social Security Numbers. HHS determined WIH impermissibly disclosed PHI to CNE because the BAA lacked required language indicating CNE would appropriately safeguard the PHI.

WIH entered into a consent judgment with the Massachusetts Attorney General’s Office, settling for $150,000. The consent judgment covered the conduct of the breach. WIH settled with HHS for $400,000 and a CAP for its failure to have all the necessary verbiage in the BAA. The clear message is that close is not good enough. HHS will not tolerate BAAs that lack all the necessary language.

Business Associate Agreements Review

BAAs must contain the all necessary elements scattered throughout the Code, including those specified at 45 CFR §164.502(e):

  • Describe permitted and required uses of PHI;
  • Provide that the BA will not use or disclose PHI except as permitted by law; and
  • Require the BA to use appropriate safeguards to protect PHI.

WIH had a BAA, but it was missing a few elements. Providers should have a lawyer review their BAAs to ensure they contain all the elements required by law.

Contact Marlena at PNW Strategic Legal Solutions with questions or to have your BAAs reviewed.  425-553-2070