The Department of Health and Human Services (HHS) has made any disclosure of Protected Health Information (PHI) not governed by a Business Associate Agreement (BAA) an enforcement priority.
HHS underscored its enforcement priority in a recent $500,000 settlement with a Florida-based physician staffing service.
The staffing service failed to execute a BAA with a billing services provider that subsequently suffered a data breach under HIPAA, exposing thousands of individuals’ PHI. Among other deficiencies, HHS relied heavily on the lack of a BAA in seeking a substantial settlement.
While entities such as hospitals are typically aware of their PHI obligations under HIPAA, smaller physician practice groups and technology service providers to the healthcare industry often are not. Although properly executed BAAs are only one facet of an effective HIPAA compliance program, HHS made clear with this recent settlement that failure to have a BAA in place can result in a costly enforcement action.
In short, if you share PHI you need a BAA.