As a responsible healthcare provider, creating and maintaining a culture of HIPAA compliancy is mandatory in order to stay out of hot water with the Department of Health and Human Services Office for Civil Rights. Business associate agreements are a critical part of this. They must be in place before your practice grants a business associate access to protected health information. Not being diligent when it comes to business associate agreements leads to catastrophic consequences.
Advanced Care Hospitalists, a multispecialty group in Florida, recently coughed up a half million dollars to the Office for Civil Rights. Their transgression? The company used a medical billing service that shared patient information on their own website. The billing service—Doctor’s First Choice Billings, Inc.—was unaware of the representative who committed the grievous error. Does that mean Advanced Care Hospitalists is off the hook? They would have been if they had business associate agreements with all of their vendors. Unfortunately they didn’t, so they were liable. And their punishment wasn’t limited to a stiff fine. The Department of Health and Human Services also required Advanced Care Hospitalists to embark on a vigorous corrective action plan that included the implementation of business associate agreements, a thorough risk analysis, and comprehensive policies and procedures to comply with the HIPAA Security Rule.
Understanding Business Associate Agreements
A business associate is any third-party contractor that works for or on your behalf. They include lawyers, accountants, IT programmers, shredding companies, and many others. Business associate agreements address the security requirements a business associate must undertake in order to fully protect the privacy of your patients. Business associates are only permitted to share protected health information while carrying out duties relating to their work for a covered entity. If they make use of or disclose sensitive data that isn’t authorized by the business associate agreement, it can lead to civil and criminal penalties.
It’s crucial to understand that without a business associate agreement, a cyberattack on a computer owned by one of your vendors make you liable. You will bear the consequences and the fallout from the data breach. Same thing goes for a stolen laptop. This happened to North Memorial Health Care of Minnesota. They didn’t have a business associate agreement in place with one of the companies they worked with. The company, Accretive Health, had one of their laptops stolen with over 9,000 patient health records on it. North Memorial Health Care of Minnesota ended up paying a $1.55 million HIPAA violation fine!
A Quick and Easy Remedy
So how do the experts in HIPAA compliancy handle business associate agreements? At PCIHIPAA, we’ve created a solution called OfficeSafe that makes creating customized business associate agreements for each of your partners effortless. You’re able to enter the information for all of your business associates in one place and then simply send their agreements from the program via a pdf. OfficeSafe makes it easy to keep track of all your business associates and ensure that their agreements are signed and up-to-date. It also provides every tool necessary to ensure that your practice is protected and 100% HIPAA compliant.
An ounce of prevention is worth a pound of cure. But when it comes to business associate agreements and HIPAA compliancy, an ounce of prevention can avert an onslaught of headaches, fines, and embarrassment. Cover your bases. Make sure your practice has a protocol in place for properly handling business associate agreements. If you don’t, you’re going to suffer the wrath for an unethical and avoidable error.