Last year, the Department of Health and Human Services made headlines by issuing more than a dozen hefty fines to big companies that deal with Protected Health Information for noncompliance with HIPAA regulations.
That trend has continued into 2017, but with a new twist. The agency is expanding the scope and scale of their investigations. It is now targeting companies, including much smaller firms, that contract out their document storage and disposal if they don’t have a Business Associate Agreement on file for the third-party vendor.
Their most recent fine was levied against the Center for Children’s Digestive Health, which is a small pediatric specialty practice based in Illinois. The company was hit with a $31,000 fine for exactly that reason. According to David Holtzman, Vice President of Compliance at the consulting firm CynergisTek:
“Covered entities and business associates have an absolute obligation to have a BBA in place with contractors and vendors who handle Protected Health Information when performing an activity or function on their behalf.”
What this comes down to is a matter of documented assurance. If your company deals in any way with Protected Health Information, then any third-party vendor you do business with that handles the data on your behalf in any way has got to have a BAA on file. If you can’t produce a copy should HHS ask to see your records, you could face a stiff fine.
Depending on the size of your company, you may be able to absorb a $31,000 hit to your bottom line without missing a beat, but that amounts to an extremely expensive piece of paper. Given the fact that there’s such an easy fix for this issue, the answer seems clear. Be sure you’ve got a BAA on file for every vendor you deal with who comes into contact with any PHI your firm deals with.