Lack of HIPAA Business Associate Agreement Proves Costly

The lack of a business associate agreement recently resulted in a $750,000 settlement for alleged HIPAA violations.

According to a post on the Department of Health and Human Services website, Raleigh Orthopaedic Clinic  released x-ray films and other protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.  This disclosure would have been permissible if a business associate agreement had been in place.

There are many occasions on which health care providers must rely upon outside contractors to assist with various business operations.  In these situations, it is imperative that providers obtain a signed business associate agreement.

HHS offers model business associate agreement language on its website at:

While the model language covers the basic provisions required by the HIPAA Privacy and Security rules, there are often other provisions that parties wish to address in the business associate agreement, such as indemnification, breach notification time frames, and feasibility of the return or destruction of Protected Health Information at the termination of the contract to name a few.

If you need assistance creating or reviewing a business associate agreement, please contact one of our attorneys.  We assist both health care providers and business associates in the development of templates.  We also frequently assist with negotiations where parties wish to make changes to basic business associate provisions.

If you are concerned about the uncertain costs related to hiring an attorney for business associate drafting or review, please contact us to discuss flat fee options so that you have certainty with regard to the costs.

Speak Your Mind