The Office for Civil Rights (OCR) has taken a recent enforcement action concerning the failure to establish business associate agreements in a timely manner. The following information overviews OCR actions with a practice that failed to establish a Business Associate Agreement (BAA) with one of its vendors for several years.
What Happened…
In August 2015, OCR initiated a compliance review of the practice following an investigation of a Business Associate (BA) that stored records containing protected health information (PHI) for the practice. While the practice began disclosing PHI to the BA in 2003, neither party could produce a BAA signed prior to October 2015. So, while the practice had a current BAA (since 2015) it was discovered that they began using the vendor’s services in 2003 without a BAA.
Citations…
The citation from the failure included:
- Practice failed to obtain satisfactory assurance (in the form of a BAA) that vendor would appropriately safeguard patient information (PHI) of the practice.
- Practice impermissibly disclosed PHI to vendor without satisfactory assurances (in the form of a BAA) that the vendor would appropriately safeguard PHI.
Results…
As a result of the citations, the practice had to agree to pay a Resolution Amount (i.e., fine or penalty) of $31,000 for failing to have a BAA with the vendor, in addition to complying with a Corrective Action Plan (CAP) that OCR imposed.
Lessons learned…
It is important to ensure that a BAA is established with each new vendor that fits the definition of a business associate, as soon as service is initiated with the vendor. A practice may designate one person to fulfill this responsibility, or ensure that each workforce member who has the authority to engage the services of a business associate is trained to obtain a BAA. One person should be designated to periodically review records to ensure that required business associate agreements are in place (e.g., once per year).
For more information about this enforcement action, please see the article titled Business Associate Agreement Enforcement in your June copy of the Advisor®.
