Not Updating BAAs Can Be Costly

Late in September, the U.S. Department of Health and Human Services (HHS) announced that Care New England ("CNE") agreed to pay a $400,000 fine and implement a corrective action plan, in order to settle HIPAA violations. The investigation by HHS's Office for Civil Rights stems back to Nov. 5, 2012.

In addition to the notification from Woman & Infants Hospital of Rhode Island ("WIH") that unencrypted back-up tapes containing nearly 14,000 patients' protected health information (PHI), subsequent violations were discovered. As OCR Director, Jocelyn Samuels indicated, "[t]his case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule." Despite CNE and Woman & Infants Hospital of Rhode Island having a Business Associate Agreement (BAA) in place in March 2005, it had not been updated until Aug. 28, 2015 - nearly two-and-a-half years after the Omnibus Rule was published in the Federal Register.

Here are some of the key violation areas identified by HHS:

• WIH disclosed PHI and allowed CNE, its business associate, to "create, receive, maintain or transmit PHI, on its behalf, without obtaining satisfactory assurances as required under HIPAA;"

• An updated BAA that meets the requisite implementation specifications under the Privacy and Security Rules was not executed;

• A valid BAA had not been contemplated by the two entities in over a decade.

By now, anyone engaged in the creation, receipt, transmission or maintenance of PHI should know that an annual risk assessment and gap analysis is required. This assessment should give an entity a "punch list" of items that need to be updated. Similarly, a good way to do due diligence on a potential business associate or subcontractor is to ask them the following five questions: (1) Are employees trained annually; (2) Is there a requisite BAA or similar agreement in place; (3) Is an annual risk assessment conducted; (4) Is data encrypted at rest and in transit; and (5) Are there relevant policies and procedures in place?

These questions should provide both physicians and business associates with a starting point for obtaining reasonable assurances of HIPAA compliance. As fines are becoming more expensive and more prevalent, the old adage, "an ounce of prevention is worth a pound of cure" is seemingly more apropos.