Outdated BA Agreements: $400,000 Fine

October 3, 2016

I recently had a client ask if there was a rule about how often they needed to update HIPAA business associate agreements. The answer is, as often as necessary to incorporate changes in the HIPAA rules.

At a minimum, any agreements that predate the HIPAA Omnibus rule which became effective in September of 2013 need to be reviewed. In the case of Care New England Health System, Providence, R.I. the business associate agreements in place were dated 2005 and the breach happened in 2015. Clearly they were asleep at the switch but there are plenty of other companies that have a “file and forget” attitude about their BA agreements. HHS and OCR talk about “suitable assurances”: § 164.308 Administrative safeguards.
(b)(1) Standard: Business associate contracts and other arrangements. A
covered entity, in accordance with §164.306, may permit a business associate
to create, receive, maintain, or transmit electronic protected health
information on the covered entity’s behalf only if the covered entity
obtains _ satisfactory assurances _, in accordance with §164.314(a) that the
business associate will appropriately safeguard the information.

So the business associate agreement may not be enough to meet the requirements. As with most of the HIPAA regulations this is subject to interpretation but we suggest an active approach. This might mean sending out a questionnaire, offering free webinars on privacy and security, or even offering free security awareness training.

We have a program for our clients that allows them to offer one free security awareness training session to their business assocates for free. They get access to an on-line video, take a quiz, and get a certificate. The hope is that this will serve as a catalyst to more HIPAA compliance activities.

If you would like to learn more about this security awareness training program send an email to me at jack@compliancehelper.com


Back to News