The Department of Health and Human Services (HHS) maintains a list of health-related data breaches affecting 500 or more individuals. HHS obtains this information from the healthcare organizations and business associates who discovered the breach. The list, referred to as the “Wall of Shame,” was recently graced by Central Files, the business associate of covered entity Elkhart Emergency Physicians. HIPAA regulations require covered entities to enter into written business associate agreements (BAAs) with prospective business associates. Business associate agreements, like any other contracts, must be reviewed and updated as a part of BAA compliance.
What is BAA Compliance? Checking and Updating
Indiana-based Elkhart Emergency Physicians, a healthcare provider, entered into a business associate agreement with Central Files. Under the agreement, Central Files was required to destroy certain records and to securely store other records until they would be transferred to another storage company.
In April of 2020, Elkhart discovered that this seemingly straightforward task had not been properly completed. In fact, as Elkhart was alerted to, the records entrusted to Central Files under the BAA were found improperly dumped in an unsecured location. The breach affected 550,000 people.
Part of BAA compliance consists of one party’s reviewing the other’s performance under a business associate agreement to ensure the other party is performing its responsibilities under the contract. It should go without saying, then, that a party reviewing an agreement must, before any further review, confirm that the other party to the agreement actually still exists. Elkhart did not perform this simple confirmation check. In fact, Central Files had been sold in 2015 to another company. Elkhart’s records destruction business associate agreement, as of 2020, still listed Central Files as the business associate responsible for the destruction of health records.
Did you vet your vendors? If not you’re at risk!
Learn how to send your vendors risk assessments here.
Had Elkhart reviewed its business associate agreement (BAA) with Central Files, by checking it and updating it each year, as necessary, the breach might have been prevented.
Under HIPAA regulations, covered entities must ensure the BAAs they enter into, contain language obligating the business associate to safeguard protected health information. If the BAA is not performing its obligations under the contract, the covered entity must attempt to terminate the contract. Suffice it to say, to assess whether the BAA is performing its obligations requires determining whether the BAA exists.
Under HIPAA regulations, Elkhart is now subject to being fined for failure to perform basic BAA compliance tasks. Since the task of determining whether its contracting partner still existed could only be performed by Elkhart, Elkhart cannot attempt to deflect responsibility for the breach.