Georgia's Trusted Healthcare
& Medical Provider Attorneys

Healthcare Providers: Your Business Associates Could Cost You Millions

HIPAAHealthcare providers must ensure business associates adequately safeguard private health information

The Department of Health and Human Services (HHS) recently entered into a HIPAA settlement with a Minnesota hospital for $1.5 million because the hospital failed to have a written business associate agreement with one of its contractors.

Business associates are non-covered-HIPAA entities that require access to protected health information (PHI) to perform services for covered entities, often a contractor or subcontractor. The hospital’s policies failed to ensure the business associate adequately protected consumer’s PHI.

While HIPAA applies to certain covered entities, those entities must also ensure that any business associates also adequately secure PHI. HHS found that the Minnesota hospital overlooked two important aspects of the HIPAA rules.

  1. The hospital did not have a written, compliant business associate agreement with one of its IT contractors, and
  2. The hospital failed to have an accurate and thorough risk analysis of its entire IT infrastructure.

HHS investigated after the hospital reported that a laptop was stolen from an employee of the business associate. The laptop contained password protected but unencrypted PHI for almost 10,000 individuals.

The $1.5 million settlement underscores the importance of HIPAA compliance. Healthcare providers must ensure they have compliance agreements with anyone who has access to protected health information. One example of this is when a healthcare provider contracts IT services. Without compliance agreements, companies can be responsible for hefty fines even if a business associate actually causes the PHI security breach.

If you need help creating policies or contracts to protect safeguard private healthcare information, we can help. Please contact Jonathan Anderson at Janderson@JeyLaw.com or 678.325.3872.