No Business Associates Agreements? How much can that cost us?

August 28, 2017
By Diane Korbel, client solutions advisor, MediTract Inc.

There’s an auspicious anniversary coming up for everyone in health care. Sept. 22 is the third anniversary of the Office of Civil Rights declaring that HIPAA privacy rules extend to business associates of hospitals, health care institutions, and other organizations, and that those organizations must have a Business Associate Agreement that is fully compliant with federal law.

That might not sound like an anniversary you would celebrate with your spouse at a fancy restaurant, but it’s critically important if you want to avoid time-consuming and potentially expensive involvement or investigation with the federal regulatory agencies.



Last year the OCR, which acts as the enforcement arm of HIPAA, announced the inauguration of Phase 2 of its HIPAA audit process, conducting “desk audits” and on-site audits of these business associate agreements.

These are not “toothless tigers.”

Last year the OCR took six enforcement actions against covered entities (hospitals, health care providers, insurance agencies, and data clearing houses), the largest of which cost the offender $3.9 million. Being small or in ignorance of the law is no defense. In April of this year a small, nonprofit provider in Illinois was fined $31,000 for not having a Business Associate Agreement with a long-standing supplier.

We believe OCR will get even more aggressive as they establish protocols for these compliance audits. OCR HIPAA audits can cover far more than Business Associate Agreements, but it’s a great place to start your own review.

What is a business associate?
A business associate is an outside individual or agency that performs certain functions or activities for the covered entities that involve the use of protected health information. These associates include lawyers, accountants, administrators, and consultants of all stripes.

A Business Associate Agreement calls for the associate to protect the information, train their employees and any of their contractors in this area, have a notification system in place in the event of a breach, and agree to return or destroy the information when the contract expires.

What happens in an audit?
The OCR will inform you by email that you are being audited. The Phase 2 HIPAA Audit Program uses a comprehensive audit protocol to review the policies and procedures adopted and employed by covered entities and business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules. You will be required to provide a list of all your Business Associates, with primary and secondary points of contact and a description of the services they provide, along with your policies and related documents—all within as little as 10 business days.

If you haven’t developed that list in advance, this can create a “fire drill” environment. Especially in a large environment that has thousands of contracts, it can be a massive undertaking.

You should consider a BAA audit from the OCR as you would an IRS audit: having the information readily available will speed the process. Complicating the procedure is the fact that the initial e-mail notification from OCR can be filtered by some e-mail systems as “junk mail.” What do you do?

Being prepared well in advance for an audit is the key.
One of the first steps is to identify your organization’s business associates, and be certain you have a properly formulated and executed Business Associate Agreement with them. Contracts or agreements sitting in a remote office or someone’s file cabinet aren’t likely a part of your system if you aren’t aware of them. You can be out of compliance from the get-go.

You need to collect and catalogue these agreements, and have the list of associates with primary and secondary points of contact ready to report to OCR.

Building that list can be time-consuming and boring, but it will save sleepless nights and possible fines if you are audited. This is where using a single-contract life cycle management solution can play a critical role.

Where do I turn for help?
In most organizations, the compliance officer and/or chief legal counsel is the first line of information and preparation for an audit.

Diane Korbel
Of course, the HHS has a wealth of information on its website.

Finally, contract life cycle management solution providers like MediTract can be invaluable, supplying an on-line library or catalogue of contracts, as well as templates for Business Associate Agreements, attachments, and advice on who should be considered a Business Associate.

For more information on Business Associate Agreement audits, you can check out a recent webinar we conducted on the subject.

About the author: Diane Korbel is a client solutions advisor in professional services for MediTract Inc., one of the largest contract life cycle and compliance solutions providers. Diane specializes in business associate agreement audits and process improvement. Before joining MediTract she spent 17 years as the corporate insurance manager and risk management systems administrator for a major south Florida health system.