Failure To Have A Business Associate Agreement Sets Small Healthcare Provider Back $31K

Apr 28 | , , , , , , , , ,


How to Avoid a Similar Fate

Carol A. Wilcox

PREFERRED Therapy Providers, Inc.

A recent announcement from the HHS Office for Civil Rights (OCR) regarding the $31,000 fine a small healthcare provider had to pay for failing to have a business associate agreement with a vendor got us to thinking about how easy it can be to overlook the tedious (and sometimes costly) details of running a private healthcare practice until it’s too late.

This particular provider is a small for-profit pediatric subspecialty practice operating seven clinic locations in Illinois. According to the OCR Resolution Agreement the OCR learned that the clinic did not have a Business Associate Agreement (BAA) with the clinic’s file storage center that stored the clinic’s inactive patient medical paper records, which is considered to be patient protected health information (PHI). During an investigation and compliance review, it was determined that neither the clinic nor the storage center was able to produce an applicable signed BAA. The clinic was fined $31,000 and agreed to implement a corrective action plan (CAP).


According to, the HIPAA Privacy Rule applies to covered entities which include health plans, health care clearinghouses, and certain health care providers. However, most covered entities often use the services of businesses or individuals (third party service providers) to help them carry out some of their health care functions. In the above-mentioned case, the third party service provider was the file storage company.

HIPAA rules require that covered entities maintain business associate agreements to those third party service providers. Examples (not an exhaustive list) of business associate functions and activities include claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, legal and accounting services, consulting, data aggregation and accreditation. A definition of “business associate” can be found in the Code of Federal Regulations.

The Privacy Rule allows covered entities to disclose protected health information to entities they define as “Business Associates” providing that the covered entities obtain satisfactory assurances that the business associate will use the information only for the specific purposes for which it was engaged by the covered entity.


We’re pretty sure that the provider mentioned in this article didn’t think so, either. Or more likely they just didn’t realize that they were violating rules regarding protected health information. Either way, OCR still imposed the fine and a corrective action plan. The clinic is out a hefty sum of money, plus they received a lot of publicity (and not the good kind).


Here are some steps you can take to help your clinic become compliant (and please note that this article is for informational purposes only and should not replace professional legal or compliance advice):

  • Make a list of all possible business associates – Although everyone you list may not ultimately be a business associate, getting all the possibilities down on paper makes it less likely that you’ll forget anyone who actually is.
  • Drill down the list to include only valid business associates – You don’t want to include entities that don’t fit the criteria. For example, business associates are not entities that do not create, maintain, use or disclose PHI in performing services on your behalf, staff that you employ, or other healthcare providers who receive PHI to treat patients. The University of Nebraska Medical Center has published a Business Associate Decision Tree that may help with determining what constitutes a valid business associate for your practice.
  • Execute agreements with valid business associates – The agreement establishes permitted and required uses and disclosures of PHI or ePHI by the business associate, provides obligations for the business associate to safeguard the information, and to report any uses or disclosures not provided for in the agreement.
  • Comply with the HIPAA Privacy Rule – Develop policies and procedures for your clinic regarding compliance with the HIPAA Privacy Rule including the provisions your clinic has taken to execute valid business associate agreements. has published a summary of the HIPAA Privacy Rule.
  • Train Staff – Invest in the time to regularly train your staff on PHI. Training and documentation on HIPAA rules and regulations will help to ensure that your office and business associates remain compliant.
  • Breach Notification and Response – Business associates are required to notify the clinic within 60 calendar days of the discovery of a breach of unsecured PHI. The clinic must immediately respond to any breach as defined by HIPAA laws. Clinics should have policies and procedures in place to address any breach of PHI.
  • Documentation Maintenance – Business Associates must maintain documents for a period of 6 years from the document’s last effective date. Clinics should also maintain BAA records for a period of 6 years beyond the date of when the BAA relationship terminated.
  • Keep Up to Date on Compliance Laws and Regulations – You can easily fall out of compliance if you don’t keep up on any updates issued by HHS/OCR.


Honestly, it’s not going to be fast. But avoiding it isn’t going to make it go away, either. Consider it part of doing business and tackle it a step at a time. If necessary, enlist the services of a compliance adviser – it may be well worth the investment. Protecting your business keeps you in business. It would be a shame to have nothing in place and have someone from the OIG asking for documentation that you don’t have.

Don’t wait until it’s too late and risk hefty fines, negative publicity and the mistrust of your patients because of failure to protect their health information.

About the Author:

Carol A. Wilcox is the staff writer and head of marketing communications at PREFERRED Therapy Providers, Inc. You can reach Carol here.

This article is brought to you by PREFERRED Therapy Providers Inc. PREFERRED is the nation’s leading payor management services network. Our expertise is working with physical, occupational and speech therapy practices – from single clinics to multiple clinic locations.



References used for this Article: