Wagner Header

The Wagner Law Group

The Wagner Law Group, A Professional Corporation, is a nationally recognized ERISA & employee benefits, estate planning, employment, labor & human resources practice. 

 

Established in 1996, The Wagner Law Group has 26 attorneys engaged exclusively in employee benefits, estate planning and employment law. Six of our attorneys are AV rated by Martindale-Hubbell as having very high to preeminent legal abilities and ethical standards. The firm is among the largest ERISA boutiques in the country. Our practice is national in scope, with clients in more than 40 states and several foreign countries.

 

 

 

 

Contact Info

The Wagner Law Group

 

  Integrity | Excellence

  

Boston 

Tel: (617) 357-5200 

Fax: (617) 357-5250 

99 Summer Street 

13th Floor

Boston, MA 02110


Palm Beach Gardens 

Tel: (561) 293-3590
Fax: (561) 293-3591
7108 Fairway Drive
Suite 125
Palm Beach Gardens, FL 33418

   

Tampa

Tel: (813) 603-2959

Fax: (813) 603-2961

101 East Kennedy Boulevard

Suite 2140
Tampa, FL  33602 

 

San Francisco

Tel: (415) 625-0002

Fax: (415) 358-8300

300 Montgomery Street

Suite 600

San Francisco, CA 94104

 

St. Louis

Tel: (314) 236-0065

Fax: (314) 236-5743
100 South 4th Street, Suite 550
St. Louis, MO  63102 

 

www.wagnerlawgroup.com

 

 

 

 

December 9, 2016

 

 Health and Welfare Law Alert

 

 

 

   Covered Entity Agrees to Pay HHS $400,000 to Settle HIPAA Violations

 

 

 

 

 

HHS has announced that a covered entity has agreed to pay $400,000 and to implement a corrective action plan for its failure to update its Business Associates Agreement ("BAA"), as required by recently-enacted regulations under the Health Insurance Portability and Accountability Act ("HIPAA").

 

Applicable Law. A BAA is a contract between a HIPAA-covered entity and a business associate. Covered entities include group health plans and health care providers. In general terms, a business associate is a service provider that uses personal health information (PHI) to perform its services for a covered entity.

 

The BAAs serve to protect PHI in accordance with HIPAA guidelines. HIPAA authorizes covered entities to disclose PHI to business associates, provided that the parties meet certain requirements, including the execution of a BAA.

 

HIPAA regulations that became effective in 2013 require BAAs to provide that: (i) the business associate will not only report any security incidents of which it becomes aware, but also any breaches of unsecured PHI; and (ii) if the covered entity delegates any of its HIPAA obligations to a business associate, the business associate will comply with such obligations when performing those duties.

 

Facts. HHS's Office of Civil Rights ("OCR") received notification from a covered entity, a hospital, that one of its business associates had lost unencrypted PHI that contained approximately 14,000 individuals' names, dates of birth, physicians' names and Social Security Numbers. The business associate provided centralized corporate support to the hospital, including technical support and information security.

 

During OCR's subsequent investigation, the hospital provided investigators with a copy of its BAA with the business associate, but the agreement had an effective date of 2005 and was not updated until 2015. After reviewing the BAA, OCR investigators found that the BAA did not incorporate certain revisions required by the 2013 regulations. Accordingly, OCR determined that the hospital, by failing to update its BAA with the business associate, had disclosed PHI to the business associate, and allowed the business associate to access and maintain PHI on its behalf, without obtaining satisfactory assurances required by HIPAA.  

 

To resolve these HIPAA violations, the business associate agreed to pay HHS $400,000 and implement a corrective action plan.

 

Employer Takeaway. In view of OCR's active investigation of reported HIPAA violations, employers are advised to review and update their BAAs to reflect the requirements found in the 2013 HIPAA regulations. To assist employers with meeting these requirements, a sample BAA is available on OCR's website.

 

 

 

 

This Newsletter is protected by copyright. Material appearing herein may be reproduced with appropriate credit.

 

This Newsletter is provided for information purposes by The Wagner Law Group to clients and others who may be interested in the subject matter, and may not be relied upon as specific legal advice.  This material is not to be construed as legal advice or legal opinions on specific facts. Under the Rules of the Supreme Judicial Court of Massachusetts, this material may be considered advertising.