The HIPAA Privacy Rule requires Covered Entities enter into written contracts with Business Associates. A Business Associate Agreement (BAA) outlines the expectations of the Covered Entity with respect to how the Business Associate will protect the privacy of protected health information (PHI). The HITECH Act and the Omnibus Final Rule expanded the liability of Covered Entities for breaches by Business Associates. Furthermore, per §13410 of the HITECH Act, a Business Associate is now directly liable for uses and disclosures of PHI that are not in accordance with its BAAs or HIPAA’s rules. According to data available at the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal, Business Associates were responsible for forty-four (44) of the 280 incidents reported in CY2018 for breaches impacting 500 or more individuals.
The absence of a HIPAA compliant BAA with any eligible vendor places a Covered Entity at risk for being found out of compliance with 45 CFR 164.504(e). To emphasize the importance of compliance, the HHS Office of Civil Rights (OCR) released the phase two (2) audit protocol in 2016 and subsequently updated in July 2018. The updated protocol focuses on Covered Entity and Business Associate compliance with select requirements, including the presence of compliant agreements.
Examples of penalties imposed by the HHS OCR as the result of absent or deficient BAAs include:
April 20, 2017: Center for Children’s Digestive Health (CCDH) fined $31,000 for being unable to produce a valid BAA prior to October 12, 2015 for a vendor CCDH had exchanged PHI with since 2003.
December 4, 2018: Advanced Care Hospitalists PL (ACH) settles with OCR and pays $500,000 over allegations of sharing PHI with an unknown vendor without a BAA.
February 7, 2019: Cottage Health pays $3 million to settle multiple allegations regarding lack of compliance with HIPAA Rules, including failing to obtain a written BAA with a vendor maintaining ePHI on its behalf.
Business Associate Agreements are often an after thought during the contracting process because the primary focus is on the terms and conditions, as well as operational aspects of the contract and getting the project implemented. Complicating the matter with respect to managing compliance with HIPAA BAA requirements is legacy agreements that may have not been updated with HITECH provisions, incomplete execution of agreements, lack of a central repository, and inconsistent breach notification expectations. The trend in OCR enforcement actions as highlighted above is reason enough for Covered Entities and Business Associates alike to prioritize BAA related clean-up projects.