Chat with us, powered by LiveChat

The Penalty for Non-Existent BAA’s

Can you say with confidence that your office has a business associate agreement (BAA) in place for each vendor you share information with? Regardless of whether you can answer that question with a resounding “Yes!” or a shrug, it is important that all healthcare providers take some time each year to evaluate (and if necessary, update) their BAA’s.

A recent email blast from HHS Office for Civil Rights (OCR), reminded us just how costly it can be for Covered Entities to do business with vendors without a BAA in place. Per the email, a Florida-based contractor physicians’ group, Advanced Care Hospitalists PL (ACH) has agreed to pay $500,000 to the OCR and adopt a substantial corrective action plan to settle potential violations of the HIPAA Privacy and Security Rules.

Between November 2011 and June 2012, ACH utilized the services of an individual that presented himself as a representative of a Florida-based company named Doctor’s First Choice Billings, Inc (First Choice.) This individual provided medical billing services to ACH using First Choice’s name and website (allegedly), without any knowledge or permission of First Choice’s owner.

Fast forward to February 11, 2014, a local hospital notified ACH staff members that protected patient information was viewable on the First Choice website, including names, DOB’s and social security numbers. Following the exposure, ACH was able to identify at least 400 affected individuals and asked First Choice to remove the information from their website. The breach report filed by ACH in April 2014 stated that 400 individuals were affected, however, further investigation prompted a supplemental breach report stating that an additional 8,855 patients may have been impacted.

Following the breach, OCR’s investigation revealed that ACH never entered into a business associate agreement with the individual providing medical billing services to ACH as required by HIPAA and failed to adopt a policy requiring business associate agreements until April 2014. To further add insult to injury, although ACH had been in operation since 2005, it had not conducted a risk analysis or implemented security measures or policies and procedures until April 2014. The full resolution agreement and corrective action plan can be found HERE.

In the example above, we see ACH’s failure to comply with the HIPAA Rules both in their delayed effort to complete a bona fide HIPAA Security Risk Analysis but also their negligence in issuing business associate agreements to their vendors. Whereas it is not ACH’s fault that this individual (allegedly) mis-represented himself, ACH should have entered into their business relationship under the correct protection and terms.


  • ACH did not have a business associate agreement in place with the subcontractor (First Choice contractor) prior to the work being completed
  • Covered Entity (ACH) did not have a valid HIPAA Security Risk Analysis on file
  • ACH was liable for the breach of their subcontractor
  • $500,000 fine imposed

At HIPAA One we understand that BAA management can be both a challenge and drain on your administrative resources. For this reason, we released a BAA management tool integrated with our automated software suite this past fall. All current HIPAA One software users can utilize this important software addition to both create and store their BAA agreements in one place with no additional cost. VIEW our brief informational video for more information.

If you are a current HIPAA One user and would like access to BAA, email our support team at: and ask to have BAA turned on for your organization.

Speak Your Mind