Establish a BA Agreement BEFORE Sharing ePHI

In the spirit of football season, the Office of Civil Rights (OCR) seems to be mounting a fourth quarter comeback for 2018. After we thought the OCR was "focused elsewhere" they've announced yet another corrective action plan, this time with Advanced Care Hospitalists (ACH) for $500,000 and two years of OCR oversight.

ACH contracted with a billing service provider without ensuring that HIPAA-required provisions were included in the service contract. A Business Associate (BA) relationship was created when services started and PHI was shared. So, it's not a contract that creates a BA relationship - it's the work performed. Some businesses, and we don't know why, implement a separate BA contract. We advocate that each business relationship is unique and while there are common elements to any BA contract or relationship, these details belong squarely in the contract to establish service.

Notably, this case was first reported to OCR in April of 2014 for events that transpired between November of 2011 and June of 2012. This information should remind us all that while it may take some time, an OCR "bad date" will come and the cost may be more money than your hospital or practice has in the bank. In addition to the settlement fee, ACH will be working the next two years developing OCR-ready policies and procedures, conducting an enterprise-wide risk analysis and ensuring all PHI-related services include a HIPAA-compliant contract.

If you are unsure whether you understand BA relationships enough to withstand an OCR investigation, give Proteus a call. We understand HIPAA requirements and can even help you find a real HIPAA lawyer if necessary. Click the OCR logo below if you want more facts supporting this ACH settlement.