Are Your Business Associate Agreements Up to Date?
If not, learn a lesson from a recent HIPAA settlement.
A press release from the U.S. Department of Health and Human Services discussed a potential violation of protected health information (PHI) by Care New England Health System (CNE). Woman & Infants Hospital of Rhode Island (WIH) is a CNE covered entity. CNE also acted as a business associate with WIH by providing corporate and technical support, including information security.
When WIH reported the loss of unencrypted ultrasound tapes of approximately 14,000 individuals to the U.S Health and Human Services Office for Civil Rights (OCR), an investigation was launched. The tapes included names, dates of birth, doctors’ names, and some Social Security Numbers.
WIH supplied OCR with its business associate agreement with CNE. It was discovered that the agreement had not been updated since 2005 and did not meet the current requirements under HIPAA Omnibus Final Rule.
From September 23, 2104 to August 28, 2015, OCR found that WIH disclosed and gave CNE access to PHI without “obtaining satisfactory assurances, in the form of a written business agreement” that CNE would safeguard PHI as required by the HIPAA Privacy and Security Rule.
CNE agreed to a settlement with OCR for $400,000. CNE is also required to enact a corrective action plan to update its policies and procedures to protect ePHI and provide workforce training within 90 days of the updates and yearly thereafter.
To avoid a similar violation, make sure all written contracts require business associates to:
- Establish what are permitted uses and disclosures of PHI
- Implement safeguards to protect PHI
- Comply with the Privacy Rule as the Covered Entity would in order to perform their job
- Report any unauthorized use or disclosure of PHI
- Allow Department of Health and Human Services access to their systems to determine HIPAA compliance
- Allow individual’s access to his/her PHI as specified in contract
- Maintain a list of disclosures of PHI
- Return or destroy all PHI at the end of the contract
- Authorize termination of contract by Covered Entity if found to violate a material term of the contract
- Ensure all subcontractors that they may hire abide by the same rules
Further guidance and samples can be found on the HHS website at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html.