If there was ever any doubt whether the Department of Health and Human Services Office of Civil Rights (OCR) was focused on the HIPAA Business Associate Agreement, three recent settlements totaling $5.8 million prove they are. Additionally, the OCR has issued its first settlement against one of these Business Associates with a $650,000 fine for the Catholic Health Care Services of the Archdiocese of Philadelphia.
Without a Business Associate Agreement in place, it is a violation of HIPAA regulations for a Covered Entity to transmit patient Protected Health Information (PHI) and for a Business Associate to receive it. Without one of these agreements in place, neither the Covered Entity nor the Business Associate has the right to transmit a patient’s PHI.
Fortunately one of our partners, Kurtin PLLC, has written an updated “HIPAA Business Associate Agreement Best Practices,” updated for 2016 that outlines solutions for those navigating the Business Associate Agreement requirement. Any HIPAA-regulated entities looking to avoid enforcement penalties can view the PDF here.