Lack of HIPAA Business Associate Agreement is costly

If you’ve got a spare million in your back pocket, this story may not concern you. Otherwise, take note and take your HIPAA business associate agreements seriously.

Just days ago, Raleigh Orthopaedic Clinic, P.A. of North Carolina, agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement (BAA).  

According to an investigation by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Raleigh Orthopaedic had released x-ray films and related PHI to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films.

It may seem like a matter of common sense that HIPAA covered entities cannot disclose PHI to unauthorized persons, but it happened in Raleigh and, without careful attention to detail, it could happen anywhere, including in your organization. Putting off a BAA puts sensitive health information at risk of being misused or improperly disclosed. That’s certainly not good, and neither is the steep financial penalty you could incur for overlooking this critical step.

In a bulletin issued by the HSS, Director Jocelyn Samuels, said, “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.”

She’s right of course. So how can you keep your entire process in check and guarantee that your BAA is done correctly? PrivaPlan can help. Our HIPAA experts audit your business associate agreements to ensure they are up to date, and validate that an agreement with the proper language is in place for every vendor who is a BA.

“We take the work and hassle out of this process to provide peace-of-mind,” said David Ginsberg, co-founder and president of PrivaPlan. “We will even do the administrative work of contacting the vendors and follow through with storing completed agreements.”

Don’t let something like an incomplete or unexecuted BAA set you back three-quarters of a million dollars. Contact us at or call 877-218-7707.





Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.