HHS has announced that a health care provider has paid $31,000 and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act (“HIPAA”). The settlement resulted from the covered entity disclosing more than 10,000 of its patients’ personal health information (“PHI”) to a document storage company (i.e., a business associate) without first entering into a Business Associate Agreement (“BAA”) to obtain assurances that the company would protect the data, as required by HIPAA.
Applicable Law. A BAA is a contract between a HIPAA-covered entity and a business associate. In general terms, a business associate is a service provider that uses PHI to perform its services for a covered entity. Covered entities include group health plans and health care providers.
HIPAA authorizes covered entities to disclose PHI to business associates, provided that the parties meet certain requirements, including the execution of a BAA. The BAAs serve to protect PHI in accordance with HIPAA guidelines.
HIPAA regulations that became effective in 2013, require BAAs to provide that: (i) the business associate will not only report any security incidents of which it becomes aware, but also any breaches of unsecured PHI; and (ii) if the covered entity delegates any of its HIPAA obligations to a business associate, the business associate will comply with such obligations when performing those duties.
Facts. In this case, HHS launched a compliance review of the covered entity following its investigation of the business associate. HHS initially investigated the business associate after hundreds of files containing PHI were found in a dumpster outside its facility.
HHS’s compliance review revealed, that while the covered entity began disclosing PHI to the business associate in 2003, neither party could produce a BAA that was executed before 2015. Following its review, HHS determined that the covered entity had disclosed the PHI of nearly 11,000 individuals to the business associate without having a BAA in effect.
To resolve these HIPAA violations, the covered entity agreed to pay HHS $31,000 and implement a corrective action plan that required it to make a number of changes to its policies and procedures for safeguarding PHI. Specifically, the covered entity must establish: (i) a process for determining all of its relationships with business associates; and (ii) procedures for limiting its disclosures of PHI (to its business associates) to the minimum amount necessary.
Employer Takeaway. In view of HHS’s active investigation of HIPAA violations, covered entities must ensure that their HIPAA compliance programs are robust and well documented and that current BAAs are in effect with all business associates.