If you own or manage a clinic, you should be aware of the potential costs that can surface due to a lack of a BA agreement. BA is an acronym that stands for business agreement. HIPAA enforcement actions regarding vendor agreements can cost your business hundreds of thousands of dollars. Raleigh Orthopedic Clinic is an excellent example of this potential pitfall. The company’s lack of a BA agreement has resulted in a whopping $750,000 penalty.
Why Penalties for Failing to Secure a BA Agreement are so Costly
It might seem like a quarter-million dollars is an egregious penalty yet it is not the first of its kind. It is actually the second major HIPAA enforcement action through the first quarter of this year alone. The $750,000 penalty will be paid as a component of a settlement. The settlement stems from a breach in which 17,300 X-ray films with private health information were supplied to a vendor without a BA in place. This is a clear violation of HIPAA.
Raleigh Orthopedic Clinic’s expensive mistake should be noted by those who own or operate clinics in the United States. It is imperative that a BA agreement be executed before sensitive data is released to third-parties. Otherwise, there is no assurance that the private information will be safeguarded. There are plenty of scam artists posing as third party vendors and other organizations in order to get their hands on patients’ (and organizations’) data. Something as simple as failing to transfer X-rays into an electronic format has the potential to result in HIPAA fees that cripple a clinic. Such materials feature patients’ full names as well as their dates of birth. If this information found its way into the wrong hands, it could lead to extensive identity theft. This is precisely why HIPAA rules are in place and stringently enforced.
Other Potential Penalties and Ramifications
Aside from significant penalty fees, clinics that fail to secure BA agreements will also have to comply with a corrective action plan to boot. Such a plan forces the violating clinic to drastically alter its procedures for handling sensitive data of patients and business associates. Raleigh Orthopedic’s plan involves a new process that determines whether certain entities qualify as business associates. It also forces the clinic to dedicate an employee to putting BA agreements in place before PHI is disclosed to other businesses. Additionally, Raleigh Orthopedic will now have to create and abide by a standard template for BA agreements and establish a process for organizing BA agreement documentation for a minimum of 6 years after the date of termination. Once you account for the additional workforce training for BA policy compliance and all of the above listed requirements, it becomes quite clear that failing to have a BA agreement in place is a mistake that your clinic cannot afford to make.
HIPAA Rules are Violated More Often Than Most Assume
Unfortunately, the Raleigh Orthopedic case is not an aberration. Plenty of clinics and other medical service providers in the healthcare industry are still violating HIPAA rules even though they were passed into law more than a decade ago. This past March, North Memorial Healthcare agreed to pay a $1.55 million settlement as a result of a failure to have a BA agreement in place with a third party vendor. The considerable settlement figure is also the result of the company’s failure to perform a company-wide risk analysis in a timely manner.
Protect Your Patients and Your Business With Bulletproof BA Agreements
The bottom line is that the value of having a BA agreement in place before doing business with third party vendors cannot be understated. Global Data Systems, Inc. is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at (888) 849-6818 or send us an email at info@GDSConnect.com for more information.