The Wagner Law Group
Wagner Law Group, A Professional Corporation, is a nationally
recognized ERISA & employee benefits, estate planning,
employment, labor & human resources practice.
in 1996, The Wagner Law Group has 26 attorneys engaged
exclusively in employee benefits, estate planning and
employment law. Six of our attorneys are AV rated by
Martindale-Hubbell as having very high to preeminent legal abilities
and ethical standards. The firm is among the largest ERISA boutiques
in the country. Our practice is national in scope, with clients in
more than 40 states and several foreign countries.
Wagner Law Group
Fax: (561) 293-3591
7108 Fairway Drive
Palm Beach Gardens, FL 33418
East Kennedy Boulevard
Tampa, FL 33602
Francisco, CA 94104
100 South 4th Street, Suite 550
St. Louis, MO 63102
December 9, 2016
Health and Welfare Law
Agrees to Pay HHS $400,000 to Settle HIPAA Violations
announced that a covered entity has agreed to pay $400,000 and to
implement a corrective action plan for its failure to update its
Business Associates Agreement ("BAA"), as required by
recently-enacted regulations under the Health Insurance Portability
and Accountability Act ("HIPAA").
Law. A BAA is a contract between
a HIPAA-covered entity and a business associate. Covered entities
include group health plans and health care providers. In general
terms, a business associate is a service provider that uses personal
health information (PHI) to perform its services for a covered
serve to protect PHI in accordance with HIPAA guidelines. HIPAA
authorizes covered entities to disclose PHI to business associates,
provided that the parties meet certain requirements, including the execution
of a BAA.
regulations that became effective in 2013 require BAAs to provide
that: (i) the business associate will not only report any security
incidents of which it becomes aware, but also any breaches of
unsecured PHI; and (ii) if the covered entity delegates any of its
HIPAA obligations to a business associate, the business associate
will comply with such obligations when performing those duties.
Facts. HHS's Office of Civil Rights ("OCR")
received notification from a covered entity, a hospital, that one of
its business associates had lost unencrypted PHI that contained
approximately 14,000 individuals' names, dates of birth, physicians'
names and Social Security Numbers. The business associate provided
centralized corporate support to the hospital, including technical
support and information security.
OCR's subsequent investigation, the hospital provided investigators
with a copy of its BAA with the business associate, but the agreement
had an effective date of 2005 and was not updated until 2015. After
reviewing the BAA, OCR investigators found that the BAA did not
incorporate certain revisions required by the 2013 regulations.
Accordingly, OCR determined that the hospital, by failing to update
its BAA with the business associate, had disclosed PHI to the
business associate, and allowed the business associate to access and
maintain PHI on its behalf, without obtaining satisfactory assurances
required by HIPAA.
resolve these HIPAA violations, the business associate agreed to pay
HHS $400,000 and implement a corrective action plan.
Takeaway. In view of OCR's
active investigation of reported HIPAA violations, employers are
advised to review and update their BAAs to reflect the requirements
found in the 2013 HIPAA regulations. To assist employers with meeting
these requirements, a sample BAA is available on OCR's website.