Do you have a HIPAA Business Associate Agreement (“BAA”) in place with all your vendors who have access to your patients’ Protected Health Information (“PHI”)? If not, you may be exposing your practice to a significant monetary penalty. On December 4, 2018, the United States Department of Health and Human Services Office of Civil Rights released a statement revealing they have reached a $500,000 settlement with a Florida hospitalist group for disclosing PHI to a vendor with whom they did not have a HIPAA BAA. The group retained medical billing services from an individual who claimed to be a representative of a Florida-based billing company. From November 2011 through June 2012, the individual provided medical billing services for the group. In February 2014, a local hospital informed the hospitalist group that patient information was viewable on the billing company’s website. The group filed a breach notification report with the Office of Civil Rights in 2014, triggering an investigation. The investigation revealed that the group did not have a BAA with the billing company or the individual who provided the billing services, nor did they have any policies or procedures providing for BAA’s as required by HIPAA. This investigation was resolved with the hospitalist group agreeing to pay $500,000 and undertake a corrective action plan.
HIPAA Privacy Rules require that a covered entity, such as a physician group or healthcare facility, must enter into a written BAA that satisfies the elements in 45 CFR 164.504(e) when hiring or doing work with an entity or individual that will use, have access to, or receive PHI. By entering into the agreement, the covered entity should obtain assurances from the Business Associate (“BA”) that the PHI will be used only for the purposes for which the BA is being engaged, that the BA will safeguard the information from misuse, and that it will help the entity to comply with the covered entity’s duties under the Privacy Rule.
As the new year approaches, it is a good time to review your HIPAA policies regarding BA’s and make sure a HIPAA BAA is in place with each BA.