Part B Insider (Multispecialty) Coding Alert

Are You Breach Bound?

A HIPAA-compliant BAA will help you avoid breach burn.

Unauthorized access and disclosure land many a practice in hot water annually. Oftentimes, this type of breach cannot be controlled by physicians and their certified staff, who diligently follow HIPAA protocols to the letter. Unfortunately, despite these providers’ efforts to stay compliant, the errors can usually be traced to business associates, who either fail to acknowledge the rules or are unaware of them. Ensuring that your business associate agreements (BAAs) are enforced can help you avoid issues down the road.

Who’s to blame?

“There is really no reason why a provider shouldn’t have BAAs in place in 2016,” says Michael D. Bossenbroek, Esq. of Wachler & Associates, P.C. in Royal Oak, Michigan. Though an occasional infraction might slip by now and then, setting up a firm BAA will likely help you dodge this common breach. The BAA helps enforce the principles of HIPAA, and partners who refuse to enter into this type of contract probably aren’t worth your time.

“Providers need to give careful thought to identifying their business associates and making sure that they have a HIPAA-compliant BAA in place with those business associates,” Bossenbroek says. “Providers aren’t necessarily responsible for the actions of their business associates, but a failure to execute a BAA is an easy way to get pulled into a business associate’s breach or failure to comply with HIPAA.”

Consider This

A strong BAA should be a top priority with clearly defined procedures and policies, suggests a recent report from the OCR on HIPAA cybersecurity, which also highlights the difficulties “covered entities” continue to have with the loss of PHI in their relationships with ill-advised business associates.

“I am aware of at least two recent settlements announced by OCR (North Memorial Health Care of Minnesota/$1.55 million and Raleigh Orthopaedic Clinic, P.A./$750,000) where OCR’s investigation revealed the providers did not have a business associate agreement in place with a business associate, and this was a big point emphasized by OCR in both cases,” Bossenbroek says. “My advice is that providers need to take the business associate relationship seriously.”

Resource: For more information on the OCR cybersecurity update, visit https://nysdental.org/blog/ocr-issues-hipaa-cybersecurity-update.