Chat with us, powered by LiveChat

The Penalty for Non-Existent BAA’s

Can you say with confidence that your office has a business associate agreement (BAA) in place for each vendor you share information with? Regardless of whether you can answer that question with a resounding “Yes!” or a shrug, it is important that all healthcare providers take some time each year to evaluate (and if necessary, update) their BAA’s.

A recent email blast from HHS Office for Civil Rights (OCR), reminded us just how costly it can be for Covered Entities to do business with vendors without a BAA in place. Per the email, a Florida-based contractor physicians’ group, Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the OCR and adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.

Between November 2011 and June 2012, ACH utilized the services of an individual that presented himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc (First Choice.) This individual provided medical billing services to ACH using First Choice’s name and website (allegedly), without any knowledge or permission of First Choice’s owner.

Fast forward to February 11, 2014, a local hospital notified ACH staff members that protected patient information was viewable on the First Choice website, including names, DOB’s and social security numbers. Following the exposure, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the information from their website. The breach report filed by ACH in April 2014 stated that 400 individuals were affected, however, further investigation prompted a supplemental breach report stating that an additional 8,855 patients may have been impacted.

Following the breach, OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH as required by HIPAA and failed to adopt a policy requiring business associate agreements until April 2014. To further add insult to injury, although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or policies and procedures until April 2014. The full resolution agreement and corrective action plan can be found HERE.

In the example above, we see ACH’s failure to comply with the HIPAA Rules both in their delayed effort to complete a bona fide HIPAA Security Risk Analysis but also their negligence in issuing business associate agreements to their vendors. Whereas it is not ACH’s fault that this individual (allegedly) mis-represented himself, ACH should have entered into their business relationship under the correct protection and terms.


  • ACH did not have a business associate agreement in place with the subcontractor (First Choice contractor) prior to the work being completed
  • Covered Entity (ACH) did not have a valid HIPAA Security Risk Analysis on file
  • ACH was liable for the breach of their subcontractor
  • $500,000 fine imposed

At HIPAA One we understand that BAA management can be both a challenge and drain on your administrative resources. For this reason, we released a BAA management tool integrated with our automated software suite this past fall. All current HIPAA One software users can utilize this important software addition to both create and store their BAA agreements in one place with no additional cost. VIEW our brief informational video for more information.

If you are a current HIPAA One user and would like access to BAA, email our support team at: and ask to have BAA turned on for your organization.

Phishing Attacks – How to Protect & Prepare

This is the first blog in a new cybersecurity series focusing on ways to protect your organizations' data from unauthorized access and safeguarding your personal ePHI.  In life there are very few events that feel more personally invasive … [Continue reading]

HHS SRA Tool V3.0 – The Good, Bad and Ugly

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT) found on the website. Each time a new version is … [Continue reading]

State Departments Conducting Audits?!?

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Healthcare Continues to Dominate Breach Related Costs

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Similar but Different: Gap Assessment vs Risk Analysis

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]

GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand … [Continue reading]

Cloud Security in Healthcare

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the '70's, playing Nintendo in the '80's or watching stock market go up and down … [Continue reading]

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not … [Continue reading]