HIPAA Business Associate Agreements: Recent Settlement Actions Illustrate Importance Of Business Associate Agreements To HIPAA Compliance

Breanne M. Rubin and Kevin D. Devaney

Handshake    Recent settlements between the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) emphasizes the importance of complying with HIPAA regulations regarding business associates prior to the release of any protected health information (PHI) to a third party vendor. Three recent settlement actions are described below. 

    In March of 2016, North Memorial Health Care of Minnesota agreed to pay $1.55 million to settle charges that it potentially violated HIPAA for failing to execute a business associate agreement with Accretive Health, Inc., a third party vendor which it contracted with to provide certain payment and health care operations activities, and for failing to conduct a thorough enterprise-wide risk analysis. OCR initiated its investigation of North Memorial following receipt of a breach report which indicated an unencrypted, password-protected laptop was stolen from a business associate’s employee’s locked vehicle, impacting the electronic PHI (ePHI) of nearly 10,000 individuals. The investigation uncovered that North Memorial neglected to enter into a business associate agreement with Accretive Health, as required under the HIPAA Privacy and Security Rules, so that Accretive Health could perform certain payment and health care operations activities on its behalf. The investigation further determined North Memorial failed to complete a risk analysis to address all of the potential risks and vulnerabilities to the ePHI that it maintained, accessed or transmitted across its entire IT infrastructure including, but not limited to all applications, software, databases, servers, workstations, mobile devices and electronic media, network administration and security devices, and associated business processes. 

    In March of 2016, Feinstein Institute for Medical Research, a biomedical research institute, agreed to pay $3.9 million to settle potential violations of the HIPAA Privacy and Security Rules and further agreed to undertake a substantial correction action plan to bring its operations into compliance. Similar to the facts in the North Memorial case, OCR’s investigation began after Feinstein filed a breach report indicating a laptop computer containing the ePHI of approximately 13,000 patients and research participants had been stolen from an employee’s car.  The ePHI stored in the laptop included the names of research participants, dates of birth, addresses, social security numbers, diagnoses, laboratory results, medications and medical information relating to potential participation in a research study.  OCR’s investigations found “Feinstein’s security management process was limited in scope, incomplete, and insufficient to address potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI held by the entity.” 

    In April of 2016, Raleigh Orthopaedic Clinic, P.A. agreed to a $750,000 settlement and a formal corrective action plan to resolve potential HIPAA violations for its failure to execute a business associate agreement prior to releasing x-rays containing PHI to its business associate. OCR’s investigation revealed Raleigh Orthopaedic disclosed the PHI of 17,300 patients contained in x-ray films to a third party vendor that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.   

    These situations underscore the importance of HIPAA compliance, as consequences for failing to comply with HIPAA are significant. In OCR’s Phase 2 of its audit program, which has already commenced and is expected to be completed by the end of 2016, business associate relationships will continue to receive heightened scrutiny. Auditees will be asked to identify their business associates and/or subcontractors, which will then subject those business associates and subcontractors to audits as well.  In a press release announcing the settlement with North Memorial, OCR Director Jocelyn Samuels emphasized that “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise” and that “it is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.” 

    In light of these enforcement actions and with Phase 2 HIPAA audits underway, it is imperative covered entities take the following steps to ensure compliance with HIPAA regulations regarding disclosure of PHI to business associates:

  1. Review current relationships with third parties and assess whether such third party vendors are considered “business associates” under HIPAA. As defined in 45 CFR § 160.103, a “business associate” is a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity. Business associate functions and activities include: claims processing or administration; data analysis, processing or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing. Business associate services include: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.  Covered entities should consider tracking the flow of data and payments made outside the organization to capture any missed business associate relationships. 
  2. Confirm that business associate agreements are in place with each third party that falls within the definition of a business associate under HIPAA. If there is not already a business associate agreement in place, one should be entered into immediately.  Covered entities should consult an experienced health care attorney in the event it has disclosed PHI to a business associate without a proper business associate agreement in place. 
  3. Review current business associate agreement form to ensure adequacy as it relates to the flow of information to that particular business associate, and the agreement otherwise complies with HIPAA and applicable state law. 
  4. Review current policies and procedures to ensure there are procedures in place with respect to disclosing PHI to a third party, and there is one or more designated individuals responsible for monitoring, negotiating and documenting business associate relationships.

    For questions regarding HIPAA, business associate agreements or other health privacy-related matters, please contact Breanne M. Rubin or Kevin D. Devaney.


Disclaimer:  The article in this publication has been prepared by Eastman & Smith Ltd. for informational purposes only and should not be considered legal advice. This information is not intended to create, and receipt of it does not constitute, an attorney/client relationship.