Do You need a BAA for HIPAA Compliance?
The physician group, Advanced Care Hospitalists PL (ACH), a contract physician group, last week agreed to pay $500,000 and to adopt a corrective action plan to address the alleged conduct after reaching a settlement with the Office for Civil Rights (OCR). to resolve potential HIPAA violations relating to the sharing of protected health information (PHI) with a vendor.
ACH serves more than 20,000 patients per year by providing contracted internal medicine physicians to hospitals and nursing homes. ACH engaged an unnamed individual to provide medical billing services but did not enter into a business associate agreement (BAA). The individual appeared to work for a Florida billing company called Doctor's First Choice Billings, Inc. (First Choice), but First Choice allegedly had no knowledge of the individual's activities. ACH later learned through a local hospital that patient information was viewable on First Choice's website. ACH initially identified about 400 affected individuals and filed a breach notification report with OCR two months after learning of the alleged breach. However, ACH later learned and reported that 8,855 more patients could have been affected.
OCR conducted an investigation and discovered that ACH had never entered into a BAA with the individual as required by HIPAA and failed to have any policies regarding entering into BAAs with vendors who could have access to PHI. In the settlement agreement, ACH admitted no liability but did adopt a corrective action plan that requires ACH to: (1) provide an accounting of its business associates to OCR and copies of business associate agreements; (2) conduct a system-wide security risk analysis, subject to approval by OCR; and (3) develop and implement a risk management plan, also subject to approval by OCR.
While this settlement is a particularly egregious example of an unvetted vendor gone rogue, it highlights the importance of covered entities carefully examining their vendors who may have access to PHI, implementing policies and procedures requiring BAAs for such vendors, and keeping track of their BAAs through a database or other method.
To determine if you are complying with all aspects of HIPAA, contact for a free initial consultation: