HIPAA Settlements Emphasize Importance of BAAs

March 15, 2019

Two recent settlements with Department of Health & Human Services Office for Civil Rights (OCR) have highlighted the importance of complying with Business Associate Agreement (BAA) rules, which require health care plans and providers to have a BAA in place with any business associate who has access to protected health information (PHI).


The first settlement involved a health care provider that contracted with a data-processing service. After the OCR was notified of a breach of privacy by the data processor, the OCR discovered that the provider never had a BAA with the data processor and furthermore did not conduct a risk analysis or adopt security or BAA policies. The provider was required to pay $500,000, along with implementing a corrective action plan that required updating policies and procedures.


The second settlement resulted from an OCR investigation of a breach involving a terminated employee that had access to protected health information through a web-based scheduling calendar. Upon investigation into the breach, the OCR learned that there was no BAA with the calendar’s vendor, which means the provider impermissibly shared the PHI of over 500 individuals. The provider was required to pay over $111,000, and also was required to implement a corrective action plan with updated policies and procedures.

Please reload

Featured Posts

HIPAA Fines--Not Going Away!

January 15, 2016

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services recently announced a resolution agreement with Triple-S Managemen...

Please reload

Recent Posts
Please reload

Please reload

© 2019 by Ledbetter Parisi LLC.