HIPAA BUSINESS ASSOCIATE AGREEMENT BEST PRACTICES: UPDATE 2017

HIPAA BAA Best Practices: Update 2017

Recent Department of Health and Human Services Office of Civil Rights (HHS OCR) resolution settlements (in lieu of fines) for a total of over $15 million confirm that wide-spread noncompliance with the HIPAA Business Associate Agreement requirement is now front and center in HHS OCR enforcement actions. OCR also recently announced a $650,000 settlement against the Catholic Health Care Services of the Archdiocese of Philadelphia, the first ever against a Business Associate directly. In all, last year OCR settled/fined violations of over $23 million, more than half the total amount levied since HIPAA was enacted; the Business Associate Agreement-related settlements constitute more than one quarter of all HIPAA settlements/fines ever levied.

It is a facial violation of HIPAA for a Covered Entity to transmit, and for a Business Associate to receive, patient Protected Health Information without a written, compliant Business Associate Agreement in place. In other words, if there is no written, compliant Business Associate Agreement in place, the Covered Entity had no right to transmit, and the Business Associate had no right to receive, the PHI in the first place.

The attached advisory, “HIPAA Business Associate Agreement Best Practices,” updated for 2017, analyzes the issues and offers a practical and cost-effective compliance solution for HIPAA-regulated entities for avoiding HIPAA civil and criminal enforcement penalties based on the Business Associate Agreement requirement.

« MORE NEWS STORIES

NEWS