By Rick Snow, Senior VP, Legal & General Counsel
As a provider in the medical field, you necessarily handle protected health information (“PHI”) of your patients. You share that PHI with other members of your group and with your employees to the extent needed for them to do their jobs. For the purposes of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), your group is considered a covered entity. There are other folks with whom PHI is shared on a regular basis in the course of doing business. These entities are known as business associates and an example of a business associate would be Medac, Inc. as an anesthesia billing company. Covered entities are required to have a Business Associate Agreement (“BAA”) in place with business associates prior to the provision of PHI. Failure to do so can lead to substantial fines and penalties.
Last year, an orthopedic group in Raleigh, North Carolina agreed to pay $750,000 to settle charges that it allegedly violated HIPAA by providing PHI to a potential business partner without first getting a BAA in place. The group—Raleigh Orthopaedic Clinic, P.A.—released x-ray films and related PHI of 17,300 patients to a company that promised to transfer the images on the films to electronic media in exchange for harvesting the silver from the x-ray film. Raleigh Orthopaedic neglected to get a BAA with the company before turning over the x-rays and PHI. As the Department of Health and Human Services (“HHS”) said in their press release on this incident, “HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.”
Another covered entity last year agreed to pay $1,550,000 to settle charges that it potentially violated HIPAA by failing to enter into a BAA with a major contractor, as well as failing to institute a HIPAA risk analysis. The HHS Office of Civil Rights (“OCR”) investigated this health system after receiving a breach report that an unencrypted, password-protected laptop was stolen from a locked car belonging to an employee of the business associate, affecting the electronic PHI of 9,497 patients. OCR’s investigation found that the health system failed to have a BAA with its business associate so that the contractor could perform certain payment and health care operations on its behalf.
These fines are persuasive evidence that the government takes the HIPAA requirement of having a BAA established with a business associate seriously. As a business associate, Medac makes every effort to ensure that an effective BAA is in place with the covered entity before any PHI is shared by our anesthesia billing company. But Medac may not be the only anesthesia billing company to which you provide PHI. If you have other business associates, make sure you have an effective BAA in place—one that takes into account the requirements of the HIPAA Omnibus Final Rule. OCR provides guidance on sample business associate agreement provisions at https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html. If you have doubts as to which contractors qualify as business associates, check with a lawyer familiar with the HIPAA requirements. Failure to take these necessary steps can cost you.