Wagner Header

The Wagner Law Group

The Wagner Law Group is a nationally recognized practice in the areas of ERISA and employee benefits, estate planning, employment, labor and human resources and  investment management.



Established in 1996, The Wagner Law Group is dedicated to the highest standards of integrity, excellence and thought leadership and is considered to be amongst the nation's premier ERISA and employee benefits law firms. The firm has six offices across the country, providing unparalleled legal advice to its clients, including large, small and nonprofit corporations as well as individuals and government entities worldwide. The Wagner Law Group's 27 attorneys, senior benefits consultant and three paralegals combine many years of experience in their fields of practice with a variety of backgrounds. Seven of the attorneys are AV-rated by Martindale-Hubbell and six are Fellows of the American College of Employee Benefits Counsel, an invitation-only organization of nationally recognized employee benefits lawyers.  Seven of the firm's attorneys have been named to the prestigious Super Lawyers list for 2016, which highlights outstanding lawyers based on a rigorous selection process.




Contact Info

The Wagner Law Group


  Integrity | Excellence



Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110


Washington, D.C.

Tel: (202) 969-2800

  Fax: (202) 969-2568

800 Connecticut Ave., N.W.

Suite 810

Washington, D.C. 20006


Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418



Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 


San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

300 Montgomery Street

Suite 600

San Francisco, CA 94104


St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
25 W. Moody Avenue
St. Louis, MO  63119







May 4, 2017


 Health and Welfare Law Alert





Covered Entity Agrees to Pay HHS $31,000

for Business Associate Agreement Failure





HHS has announced that a health care provider has paid $31,000 and agreed to implement a corrective action plan to settle potential violations of the Health Insurance Portability and Accountability Act ("HIPAA"). The settlement resulted from the covered entity disclosing more than 10,000 of its patients' personal health information ("PHI") to a document storage company (i.e., a business associate) without first entering into a Business Associate Agreement ("BAA") to obtain assurances that the company would protect the data, as required by HIPAA.


Applicable Law. A BAA is a contract between a HIPAA-covered entity and a business associate. In general terms, a business associate is a service provider that uses PHI to perform its services for a covered entity. Covered entities include group health plans and health care providers.


HIPAA authorizes covered entities to disclose PHI to business associates, provided that the parties meet certain requirements, including the execution of a BAA. The BAAs serve to protect PHI in accordance with HIPAA guidelines.


HIPAA regulations that became effective in 2013, require BAAs to provide that: (i) the business associate will not only report any security incidents of which it becomes aware, but also any breaches of unsecured PHI; and (ii) if the covered entity delegates any of its HIPAA obligations to a business associate, the business associate will comply with such obligations when performing those duties.


Facts. In this case, HHS launched a compliance review of the covered entity following its investigation of the business associate. HHS initially investigated the business associate after hundreds of files containing PHI were found in a dumpster outside its facility.


HHS's compliance review revealed, that while the covered entity began disclosing PHI to the business associate in 2003, neither party could produce a BAA that was executed before 2015. Following its review, HHS determined that the covered entity had disclosed the PHI of nearly 11,000 individuals to the business associate without having a BAA in effect.


To resolve these HIPAA violations, the covered entity agreed to pay HHS $31,000 and implement a corrective action plan that required it to make a number of changes to its policies and procedures for safeguarding PHI. Specifically, the covered entity must establish: (i) a process for determining all of its relationships with business associates; and (ii) procedures for limiting its disclosures of PHI (to its business associates) to the minimum amount necessary.  


Employer Takeaway. In view of HHS's active investigation of HIPAA violations, covered entities must ensure that their HIPAA compliance programs are robust and well documented and that current BAAs are in effect with all business associates.




This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.


This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.