The Ongoing Importance of Completing Business Associate Agreements (BAA) with Vendors

by ih-coc admin

The HHS Office for Civil Rights (OCR) announced on December 4, 2018, that Advanced Care Hospitalists PL (ACH), operating in West Central Florida, agreed to a settlement of $500,000 and to adopt a substantial Corrective Action Plan (CAP) regarding potential HIPAA violations arising out of security breaches caused by hiring a billing contractor without implementing a Business Associate Agreement (BAA).

OCR’s investigation and consequential judgement addressed the following:

  • That despite being in operation since 2005, ACH only implemented HIPAA-related policies including risk management and security measures in 2014.
  • That no policy requiring BAAs was implemented until 2014.
  • That no BAA was entered into with the individual providing medical billing services.

According to the OCR release, the person hired by ACH fraudulently represented himself as being directly affiliated with a Florida-based company named Doctor’s First Choice Billings, Inc. (First Choice). This person provided medical billing services to ACH between November 2011 and June 2012, using First Choice’s name and website, but allegedly without any knowledge or permission of First Choice’s owner. 

ACH filed a breach notification report with OCR on April 11, 2014, stating that 400 individuals were affected; however, ACH has since filed a supplemental breach report that states another 8,855 patients could have been affected. ACH's breach discovery was triggered by an external notification, received in February of 2014 from a local hospital, who alerted ACH that PHI was available on the First Choice website. 

What was most troubling about this breach is that ACH did not undertake even the simplest security measures to address PHI security with this contractor, nor was any risk assessment conducted between 2005 and 2014 that might have uncovered this breach earlier. 

The CAP requires ACH to undertake the following:

  • Prepare an audit of all associates that ACH ever contracted work with
  • Provide copies of all BAs with these associates
  • Undertake an enterprise-wide, extensive risk analysis and assessment;
  • Provide a risk management plan that addresses the risk analysis and assessment
  • Implement an annual ePHI risk assessment
  • Update its written policies to reflect HIPAA mandates and requirements
  • Prepare and receive approval for updated training materials that reflect these policy changes
  • Train all employees, staff, and contractors in these updated policies
  • Maintain records of these trainings
  • Implement changes to how documentation is changed and stored

To mitigate risk arising out of contracting out indirect/administrative business activities, CEs and BAs must ensure that:

  • An adequate BAA is in place that addresses use and disposal of PHI specifically.
  • A background check on the contractor is undertaken to confirm their identity and affiliation.
  • A comprehensive risk analysis and risk management plan is in place before contractors are even interviewed.
  • All requirements and mandates regarding the HIPAA Security and Privacy Rules are complied with.
  • Documented Security Risk Assessments are conducted periodically to uncover any potential threats.