No BA Agreement: $750,000 Fine

My business partner and I have been "discussing" whether the term is satisfactory assurances or reasonable assurances that covered entities must get from their business associates.  Jocelyn Smith, director of OCR didn't settle the discussion with this statement but reinforced that some kind of assurances are needed.

Jocelyn Samuels, director of OCR, said in the statement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."

My personal choice for assurance would be asking for a copy of their most recent HIPAA risk assessment done to meet the NIST protocol standards.  This reduces the amount of wiggle room to nearly zero for the business associate and assures the covered entity that the business associate is serious about HIPAA compliance.

The $750,000 fine for Raleigh Orthopedic is an attention getter for most clinics and practices.  This isn't Anthem or United but a clinic like many others around the country and $750,000 will put a serious dent in the profits for the year.

Remember that the holy trinity of HIPAA compliance is an updated risk assessment done to the NIST standard, documented staff training, and updated policies.  Imagine that you get a desk audit letter from a regulator or business partner requesting copies of these documents within ten days.  That is exactly what happened to 10,000 practices and clinics that received MU money.  The part that most of them failed was the risk assessment.  Checklists do not qualify.

With automation these are tasks that can be accompished on an on-going with documentation that will help create a legal firewall around your organization.  Take a look at or contact me for more information.


Add Your Comments

(not published)