The U.S. Department of Health and Human Services' Office for
Civil Rights (OCR) has lately been broadcasting its increased
attention to, and concern about, HIPAA business associates on a
monthly basis.
In March, the OCR announced a $1.55 million settlement with North Memorial Health Care of
Minnesota that was partially based on a key finding that the
hospital failed to enter into a business associate agreement (BAA)
with a major contractor. Then in April, OCR began its Phase 2 HIPAA Audit Program which was expanded
to include business associates as well as covered entities, and
entered into another BAA-related settlement (as discussed
here).
Continuing with the recent theme, in May the OCR published a cyber-awareness update entitled
"Is Your Business Associate Prepared for a Security
Incident?" in which it essentially answered
"no." Thus, now is the time for covered entities and
business associates to ensure that they have signed BAAs in place
that adequately address security assessment of the business
associate, breach notification and breach response.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.