Lack of Business Associate Agreement Costs $500,000! HIPAA & HITECH Act Blog by Jonathan P. Tomes

Advanced Care Hospitalists PL (“ACH”) recently settled a Department of Health and Human Services (“DHHS”) Office for Civil Rights (“OCR”) enforcement action for $500,000 for lack of business associate agreement in place. ACH provides contracted physicians to hospitals and nursing homes in Florida. The company hired Doctor’s First Choice Billings, a medical billing company. ACH subsequently learned that its patients’ protected health information (“PHI”) was available on First Choice Billing’s website. This scenario exposed ACH patient’s names, dates of birth, and Social Security numbers.

Upon discovery of the breach, ACH notified DHHS that the breach had exposed the PHI of 9,255 patients to outsiders. The resultant OCR investigation revealed that ACH had not entered into a business associate agreement with First Choice, an electronic billing company, which would have required it to have implemented reasonable and appropriate security measures and not to have used or disclosed PHI in a manner that would violate the HIPAA Privacy Rule. In addition, ACH had not conducted a risk analysis, enforced security measures, or adopted required policies and procedures before the breach. This total lack of compliance resulted in the large settlement in lieu of a civil money penalty (“CMP”).

Note that, if an organization performs a service for a covered entity or on its behalf, it is a business associate regardless of whether the covered entity has entered into a business associate agreement with it. And consider that the DHHS appears to be focusing a significant portion of its compliance efforts on the business associate relationship as witnessed by the $2.5 million settlement by Accretive Health, Inc., a collection agency.

EMR Legal and Veterans Press recommend adopting a Business Associate Agreement Policy that includes the following elements:

  • States that no member of the entity’s workforce will enter into any relationship with another individual or organization that may involve the acquisition, maintenance, use, disclosure, or destruction of PHI without first having notified the appropriate official for a determination of whether a business associate agreement is required.
  • Specifies the individual that will make the determination of whether a business associate agreement is required and any guidelines to follow or resources to use, such as review by legal counsel.
  • Specifies who is responsible for ensuring that business associate agreements comply with HIPAA’s requirements, including arranging for necessary legal review. This responsible person is often, but need not necessarily be, the privacy officer.
  • Specifies who is responsible for ensuring that the business associate is not an agent to avoid liability for the business associate’s breaches.
  • Specifies that no one will use the services of a business associate until a properly executed business associate agreement has been put into place.
  • Specifies that supervisors of the services being performed by a business associate are responsible for ensuring that the business associate is performing those services in accordance with the business associate agreement.
  • Specifies what individual is responsible for ensuring that business associate agreements are current, reflecting any changes in the business associate agreement resulting from changed legal requirements.
  • Specifies that any individual who learns of or suspects a breach by the business associate will immediately report it in accordance with the Report and Response Procedure.
  • Specifies the duties of the person who receives the report of a breach insofar as investigating, remediating, and mitigating the harm of the breach.
  • Specifies that, if the business associate does not cooperate with any investigation or required mitigation action, the entity will terminate the contract.
  • Specifies that violating this policy subjects the offender to appropriate discipline in accordance with the sanction policy.
  • Specifies that business associate agreements will be retained for at least the six-year HIPAA retention period for evidence of HIPAA compliance.

Thus, little doubt exists that having HIPAA and HITECH Act compliant business associate agreements in place is a key area of HIPAA compliance. If one were doing a risk analysis of using a business associate, the risk analysis would show that the cost and effort of getting a business associate agreement in place is minimal compared to the potential liability of lack of a business associate agreement in place.

Alice here: Yes, once again, I am here to try to sell things to keep you and us in business. If you need help with your risk analysis, either initially or for an update, Jon Tomes has written a Risk Analysis ToolKit to provide the structure and tools to help you complete the requirement under HIPAA. You and your risk analysis team can fill it out and document your decisions as to what is reasonable and appropriate for you to adopt in the way of policies and procedures and be done with it. Or you could send your completed risk analysis to Jon to review and render his professional opinion as the country’s leading HIPAA expert (IMO) as to whether it is sufficient to keep you from getting that free trip to Leavenworth or that very expensive trip to the bank. If you have Jon’s Compliance Guide to HIPAA and the DHHS Regulations, 6th edition, with the accompanying HIPAA Documents Resources Center CD, also 6th edition, you can find the Risk Analysis ToolKit on the CD. It is also available with a review by Jon at Also, Jon Tomes presented a webinar recently on “How to Do a HIPAA and HITECH Risk Analysis.” You can buy a recording of it at Jon is also writing a Risk Analysis Update ToolKit, which will be available for you in the near future on the Premium Member section of our website. Please stay tuned for our announcement when it is up and running for you there. Also, include in your risk analysis the lack of a business associate agreement if you are considering hiring a business associate or a downstream business associate.

If you need guidance on how to draft the policies and procedures that your risk analysis or your newly updated risk analysis has shown are reasonable and appropriate for your organization, Jon has also written The Complete HIPAA Policies and Procedures Guide, with the accompanying CD of several dozen HIPAA policies and procedures templates for you to adapt to your situation.

Make sure that you train your entire workforce on HIPAA in general and on the HIPAA policies and procedures according to who needs to know what to perform their duties for you. If you need handy HIPAA training in general, consider Jon’s training video and training manual in either of two forms available here: or Or you could hire Jon to present HIPAA training onsite to your workforce. Just contact him at or 816-527-3858.

Keep your written documentation of all of these HIPAA compliance efforts where you can find them easily and quickly if DHHS shows up demanding your HIPAA compliance documentation. We recommend keeping all of it in Your Happy HIPAA Book. Jon included tabs in the three-ring binder for everything that you need to document and a checklist for each tab. I recommend adding the date that you check off each item in each checklist.

If you have had a security incident that you were unsure as to what exactly to do about, or if you are concerned that you may have one, consider reading Jon’s book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know.

A sample business associate agreement policy and a sample business associate agreement are posted in the Premium Member section of our website at

As always, thanks for reading Jon’s blog, buying his books and other HIPAA compliance tools, attending our seminars and webinars, and hiring Jon for HIPAA consulting and training. We wish you every success with your HIPAA compliance efforts. By the way, today’s blog item about the lack of a business associate agreement in place is not a joke for April Fool’s Day.

seo by: k.c. seo