Make Sure You Execute BAAs for HIPAA Compliance

When physicians and other providers who are "covered entities" share protected health information ("PHI") with a third party, there is always the need to assure compliance with the Health Insurance Portability and Accountability Act (HIPAA) by executing a business associate agreement (BAA).  In my experience, I find that most providers understand a business associate to be the IT company, billing company and certain other contractors who regularly access PHI, but may not consider other business relationships to warrant a BAA. 

In a recent settlement, Raleigh Orthopaedic Clinic, P.A. of North Carolina (Raleigh Orthopaedic) agreed to pay $750,000 to settle charges that it potentially violated the HIPAA Privacy Rule by handing over PHI for approximately 17,300 patients to a potential business partner without first executing a BAA. 

Apparently, HHS' Office of Civil Rights (OCR) initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013.  The investigation revealed that Raleigh Orthopaedic had released the X-Ray films and related PHI of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  No BAA was executed between Raleigh Orthopedic and the business entity prior to turning over the X-rays (and PHI).

According to a report of the investigation at HHS.gov, in addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

Although regular HIPAA training is performed by most physician practices, routine training usually focuses on day-to-day patient interactions.  The business staff of a covered entity also needs to be trained to question every business (and potential) business interaction to see if a BAA is needed and that when it's in doubt, to execute a BAA.  Your practice should always have a designated individual who can assess who is a business associate and to be the one who makes sure a BAA is in place when needed. This individual should also establish a process for maintaining all practice BAAs.  Additionally, the process followed by your practice with regard to BAAs should be added to the practice's HIPAA policies. 

When putting together or amending the form of BAA your practice uses, consider adding a requirement that the business associate indemnify the practice for violations of HIPAA which may occur. I also recommend contracts with all third parties, who are also business associates, contain a requirement that the business associate maintain and show evidence of HIPAA/HITECH insurance which names the practice as an additional insured.  Practices should make sure they acquire this type of coverage on the practice as well, since HIPAA breaches can be expensive.