A small pediatric practice on the wrong end of a HIPAA violation paid a $31,000 fine, and agreed to implement a corrective action plan.
What happened? The Office for Civil Rights (OCR) investigated one of the practice’s business associates that stored records for the practice. Then it began a compliance review of the practice, which had been disclosing PHI to the business associate since 2003.
Neither party could produce a signed Business Associate Agreement (BAA).
Proper BAAs are required for all vendors that have access to patient PHI. If you don’t have one with a vendor, and it sustains a breach, your office will share the responsibility—even if the breach is completely due to the business associate’s negligence.
If you think you have BAAs covered at your practice, check the documents and make sure they were written after September 2013, and make the business associate directly subject to the HIPAA Security Rule.
Smart Training Platinum+ clients can request current, customized Business Associate Agreements from Smart Training’s certified HIPAA professionals.