Day Pitney healthcare attorney Eric Fader was quoted in an April 22 article, "N.C. Clinic Pays $750,000 to Settle Alleged HIPAA Violations," in Bloomberg BNA's Health Care Daily Report. In the article, Eric discusses a North Carolina orthopedic clinic's recent $750,000 settlement with the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) over allegations that it potentially violated the HIPAA Privacy Rule by giving patient data to a business partner without first signing a business associate agreement (BAA).
In an April 19 bulletin posted to HHS's website, Jocelyn Samuels, OCR's Director, said "HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise."
In the Bloomberg BNA article, Eric pointed out that while the federal government has been stressing the importance of BAAs since the Health Information Technology for Economic and Clinical Health (HITECH) Act was released in 2009, many providers still do not have BAAs with all of their business associates. Still other covered entities and business associates may not be aware that the HIPAA Omnibus Rule, released in 2013, required them to updated their BAAs. "So any provider that assumes that it's currently in compliance with HIPAA's BAA requirements just because it did comply as of, say, 2008, is likely mistaken," Eric warned.
Referring to OCR's recently announced Phase 2 audits of covered entities and business associates, in which it is expected to initiate enforcement actions when "serious issues" are uncovered, Eric concluded, "In my view, a failure to have all required BAAs in place could very well be considered an inherently serious violation, given the core importance of BAAs in HIPAA.".
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
