If you’re a healthcare facility of any kind, you might want to update your Business Associate Agreements (BAAs), or otherwise risk facing a HIPAA fine. The U.S. Department of Health and Human Services’ Office of Civil Rights (OCR) recently fined the Women & Infants Hospital of Rhode Island (WIH) for failing to update HIPAA Business Associate Agreements. This has been seen as a pointed message to healthcare facilities and organizations whose BAAs are out of date. According to a Sept. 23 OCR news release announcing the settlements, “WIH provided OCR with a business associate agreement with Care New England Health System effective March 15, 2005, that was not updated until Aug. 28, 2015, as a result of OCR’s investigation, and therefore, did not incorporate revisions required under the HIPAA Omnibus Final Rule.”
The fine incurred by the WIH of Rhode Island stemmed from an investigation into a data breach that occurred in November 2012. At the time, WIH reported to authorities that they had had unencrypted backup tapes of ultrasounds of over 14,000 women stolen. The tapes included names, dates of birth, exam dates, physician names, and social security numbers, in some cases. OCR Director Jocelyn Samuels made an official statement on healthcare organizations’ requirement for having up-to-date HIPAA Business Associate Agreements, saying:
“This case illustrates the vital importance of reviewing and updating, as necessary, business associate agreements, especially in light of required revisions under the Omnibus Final Rule.”
Make sure your BAAs are updated and that you have one for every business associate you do business with, or who has even peripheral access to ePHI (Electronic Protected Health Information). HIPAA regulations require having signed and updated HIPAA Business Associate Agreements, at the risk of an audit and fine. If an organization is audited by OCR and asked to produce their BAAs and cannot, the lack of complete or updated BAAs is definitive proof that the organization does not have a comprehensive or thorough HIPAA compliance program, which will assure a subsequent investigation and hefty fine, in most cases.
The HIPAA and OCR regulatory boards have been around for years now, so there’s no excuse on Earth for any healthcare facility not having BAAs updated, which costs next to nothing in work expenditure. Getting it done will prevent the much larger cost of failing a HIPAA audit and subsequent fines – along with the resultant notoriety (and possible insurance rate increase) from being “that hospital that got dinged for not having their BA agreements up to date”.
Have Questions About BAAs and HIPAA Fines?
If you have questions regarding Business Associate Agreements and avoiding HIPAA violations, eMDTec is a proven leader in providing IT consulting in New Jersey. Contact one of our expert IT staff at (800) 979- or send us an email at email@example.com today, and we can help you with any of your HIPAA compliance and regulatory needs.
155 Pompton Ave. STE 107
Verona, NJ 07044-2935
Phone: (800) 979-2879
Support: (973) 450- 8002
Fax: (973) 239-2425