Question: Despite the Sept. 22 deadline, we have not yet updated our business associate agreement (BAA) contracts. What happens now?
Answer: “Technically, a healthcare practice faces statutory penalties for any improperly used or leaked PHI,” answered attorney David Schoolcraft of Ogden Murphy Wallace Attorneys in a Sept. 15 interview with DocuSign. “For example, if a healthcare provider contracts with a medical billing vendor without an updated BAA, they face stiff penalties should there be any improper use of PHI.”
“Updating your BAAs is a risk management strategy, and it allows you to add additional protection clauses, such as stipulations about the use of data and operations in the cloud,” Schoolcraft stated. “With the proliferation of cloud vendors and third parties working with healthcare providers, the new BAAs provide a mechanism to not only require the safeguarding of PHI and the reporting of a breach, but the sharing of responsibility when a breach does occur.”
If you don’t update your BAAs, you won’t have the opportunity to ensure that you have sufficient indemnification and insurance provisions in place, Schoolcraft continued. And without such provisions, you cannot necessarily expect reimbursement and defense from the business associate in the event of a breach.