Two recent settlements with Department of Health & Human Services Office for Civil Rights (OCR) have highlighted the importance of complying with Business Associate Agreement (BAA) rules, which require health care plans and providers to have a BAA in place with any business associate who has access to protected health information (PHI).
The first settlement involved a health care provider that contracted with a data-processing service. After the OCR was notified of a breach of privacy by the data processor, the OCR discovered that the provider never had a BAA with the data processor and furthermore did not conduct a risk analysis or adopt security or BAA policies. The provider was required to pay $500,000, along with implementing a corrective action plan that required updating policies and procedures.
The second settlement resulted from an OCR investigation of a breach involving a terminated employee that had access to protected health information through a web-based scheduling calendar. Upon investigation into the breach, the OCR learned that there was no BAA with the calendar’s vendor, which means the provider impermissibly shared the PHI of over 500 individuals. The provider was required to pay over $111,000, and also was required to implement a corrective action plan with updated policies and procedures.