Business Associate and Healthcare


Over 8 million dollars were paid in just two settlements due to the lack of a business associate agreement. There are already quite a few cases that demonstrate the importance of formalizing healthcare organizations relationship with their Business Associates and making sure that subcontractors that meet the requirements of a Business Associate are treated as such.

For example:

  • Advocate Health Care Network will pay $5.55 million to settle charges stemming from multiple breaches, one of which involved a hacking incident at its business associate. HHS OCR charged Advocate Health with failing to obtain written business associate contracts
  • Oregon Health and Science University agreed to a $2.7 million settlement based on their use of a cloud computing system without any BAA with the cloud computing vendor.
  • Center for Children’s Digestive Health (CCDH), a small, for-profit health care provider, has paid the U.S. Department of Health and Human Services (HHS) $31,000 to settle potential violations. CCDH uses FileFax, Inc. to store records but under an HHS neither CCDH nor FileFax Inc. were able to produce a signed Business Associate Agreement prior to Oct 2015.

There are a few basic lessons we learned from the previous examples:

  • The Government may determine a Business Associate relationship exists regardless of the existence of a contract;
  • A subcontractor may be classified as a Business Associate even if he/she doesn’t have not have direct access to PHI;
  • Covered Entities must obtain satisfactory assurances from its business associate that the business associate will appropriately safeguard the protected health information it receives or creates on behalf of the covered entity;
  • Chain of custody must be preserved, hence contracts between Business Associates and their subcontractors must include the same provisions as those between Covered Entity and Business Associate;
  • Covered Entities must terminate contract relationship with Business Associates if they fail to comply with the provisions of HIPAA Security.

Our take away is simple, we can no longer afford to use the services of a Business Associates that is non-compliant. We also need to find cost effective methods to ensure that our Business Associates seriously implement the provisions imposed by HIPAA. In a way is simple, either contract with HIPAA Security Certified Businesses or allocate internal resources to ensure your Business Associate and their subcontractors are compliant.