Has Your Health Care Company Updated Its Business Associate Agreements?


It may seem like common sense for businesses to keep any agreements with outside vendors up-to-date, but that message clearly hasn’t penetrated the entire health-care industry. The Health and Human Services Office for Civil Rights recently announced a $400,000 settlement with Care New England Health System over the lack of an updated business associate agreement (BAA).

Eric Fader, an attorney with Day Pitney LLP in New York, told me he was a little surprised the OCR was still stressing the need for updated BAAs, especially after two earlier settlements this year both involved the lack of a BAA. “The relatively low settlement amount of $400,000 suggests to me that the OCR recognizes that Care New England's violation was not as serious a violation as never having entered into a BAA would have been,” Fader said.

Care New England, based in Providence, R.I., owns and operates several hospitals and provider groups, providing them back-office support as a business associate. In 2012, Woman & Infants Hospital of Rhode Island reported the loss of unencrypted ultrasound data covering about 14,000 patients. After investigating the loss, the OCR discovered that between September 2014 and August 2015, the hospital let Care New England create, receive or transmit protected health information on its behalf, even though Care New England’s BAA hadn’t been updated to reflect the 2013 HIPAA omnibus final rule.

Kirk Nahra, an attorney with Wiley Rein in Washington, told me that he didn’t think the settlement was targeting business associates, but was rather part of an overall government effort to look into the failure of covered entities to maintain proper BAAs.

Stay on top of new developments in health law and regulation with a free trial to the Health Law Resource Center.

Learn more about Bloomberg Law and sign up for a free trial.