The Health and Human Services (HHS) Office of Civil Rights has begun phase 2 of its compliance audits. The 2016 audits will target covered entities and their business associates. For example, an IT support business working for a healthcare organization is covered under HIPAA’s Privacy, Security and Breach Notification Rules.
Serious financial penalties for HIPAA noncompliance
In the largest HIPAA “settlement” (a fine, really), Advocate Health Care, an Illinois-based Health Care Group agreed to pay $5.55 million after the theft of laptops from one of its data centers. The laptops contained nearly 4 million personal health records.
Dragged into the fray was Advocate’s business associate, Blackhawk Consulting, who provided billing services for Advocate. A third party accessed Blackhawk’s network and compromised more than 2,000 billing records.
What is a business associate?
Under the HIPAA Health Information Privacy rules, a business associate is a “person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity (emphasis added).”
A business associate, for example, could, among other things, do claims processing, data analysis, billing and IT consulting. From medical transcriptionists to technical consultants performing utilization reviews for a hospital, HIPAA privacy rules apply, and the covered entity must execute a business associate contract.
The Business Associate contract
Part of Advocate Health Care’s compliance problems, had to do with their business associate, Blackhawk. Advocate failed to get the necessary assurances — a written business associate contract from Blackhawk. Said assurances involve safeguarding all protected information in the business associate’s possession.
The contract is required under 45 CFR 164.50(e). Generally speaking, the contract must:
When business associate breaches occur
If the organization (covered entity) employing the business associate discovers a data breach or other HIPAA violation by said business associate, the organization must take the following steps:
HHS has published a Sample Business Associate Agreement on their webpage.
Penalties for Business Associate HIPAA violations
Under HIPAA business associates, like their principal covered entities, are directly liable and can be penalized for:
Civil monetary penalties range from $100 to $50,000 per incident for inadvertent violations. If willful negligence is involved, the penalties range from $1,000 to $50,000 per incident. Penalties are capped at $1.5 million per year.
So, business associates, when it comes to handling electronic personal health information, carry much the same responsibilities as their client-covered entities.
A word from our sponsor
Global Data Systems, Inc. is the trusted choice when it comes to staying ahead of the latest HIPAA developments, information technology tips, tricks and news. Contact us at (888) 849-6818 or send us an email at info@GDSConnect.com for more information.