ARCHIVED CONTENT
You are viewing ARCHIVED CONTENT released online between 1 April 2010 and 24 August 2018 or content that has been selectively archived and is no longer active. Content in this archive is NOT UPDATED, and links may not function.Extract from article by Robert Patterson
The Office of Civil Rights (OCR), the agency within the United States Department of Health and Human Services that enforces the HIPAA Privacy and Security Rules, recently sent a clear message about the importance of business associate agreements. In separate settlements with the agency, two health care providers agreed to pay extremely large monetary penalties to settle charges that they violated HIPAA by failing to enter into business associate agreements with vendors before disclosing protected health information (PHI). These two settlements vividly demonstrate that OCR will vigorously enforce the business associate requirements under HIPAA, and both covered entities and business associates should take care to ensure that they are fully compliant with these rules.
The HIPAA Privacy Rule clearly states that a HIPAA “covered entity” – that is, a health care provider that engages in electronic transactions, a health plan, or a health care clearinghouse – cannot disclose PHI to a business associate (BA) unless it first enters into a written business associate agreement. A business associate is any third party that performs certain functions or activities for the covered entity that involve the use or disclosure of PHI – for example, a third party administrator for a health plan, or a physician’s medical record transcriptionist.