Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Business Associates Must Take HIPAA Compliance Seriously

Dec 15, 2015

As part of the HIPAA Omnibus ruling in 2013 Business Associates (BAs) of Covered Entities are required to comply with HIPAA Privacy and Security guidelines. Not much attention has been focused on BA’s compliance to date, but Health and Human Services Office of Civil Rights (OCR), is beginning their 2nd round of audits and has specifically indicated Business Associates will be included in these random audits.

Historically the focus has been on Cover Entity’s compliance, but now a BA can be pulled into this audit. If during an audit of a Covered Entity it is determined that their Business Associate is not compliant, the Covered Entity and the Business Associate could both receive fines. OCR considers the Business Associates of a Covered Entity to be part of that Covered Entity’s compliance plan. This is called the Common Agency Provision of the HIPAA Omnibus ruling. This means that a Covered Entity could be held liable for breaches that were caused by a Business Associate.

We’ve already seen a case like this in September 2011. Stanford Hospitals contracted with Multi-Specialty Collection Services (MSCS) to do perform a revenue cycle review. MSCS subcontracted the graphics portion of the project to a company called Corcino & Associates, LLC. A workforce member from Corcino posted a copy of a spreadsheet with patient data on a now defunct website called Student of Fortune; a site used by students to find help with school work. The information was left on these servers unencrypted for over a year and was discovered by a patient who reported it to Stanford.

This was a major breach of 20,000 patient’s information, and a few days after Stanford reported the breach, there was a class action lawsuit filed in California against all the offending parties for $20 Million. That was settled in 2013 for $4.125 million with MSCS and Corcino picking up $3.3 million of the settlement and Stanford was stuck with a $500K fine for a program to educate vendors, and $250K fine to cover administrative costs. Needless to say, Stanford promptly terminated their business relationship with MSCS. This proved to be a very costly mistake for MSCS and Corcino.
Luckily, Stanford has been cleared of any HIPAA fines or penalties from HHS and California, but they still are left paying $750k for a breach caused by their Business Associate and Business Associate’s Subcontractor.

You may have adequate security measures in place, but HIPAA is not just about making sure that data is secure. It is a mandate with very specific requirements in order to reach compliance. As audits are now becoming a reality Covered Entities will look for Business Associates that not only claim to be compliant but also can prove their compliance by providing documented answers to the following questions:

  1. What is your security program?
  2. How are you educating your workforce?
  3. How do you manage access to and handling of patient/client information?
  4. Do you have policies and procedures for both Privacy and Security?
  5. Have you vetted your Business Associate Subcontractors?

So boost or bust?

That’s up to you. Business Associates who are not HIPAA compliant will likely struggle to retain the confidence of their current clientele, while those that take the time to properly complete their compliance plan stand to gain the business others have lost. Those that are expected to benefit the most are Business Associates who are first to market with a comprehensive HIPAA compliance plan, earning new business while others struggle to catch up.

Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch.

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2022

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

Why Insurance Agents Need to Be HIPAA Compliant

Why Insurance Agents Need to Be HIPAA Compliant

The world of HIPAA compliance is often confusing and complex. It can be hard to tell what exactly the standards and requirements are and to whom they apply. Whether you’re an insurance agent or do...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)