First Healthcare Compliance CONNECT December 2020
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Q&A: HIPAA <strong>Compliance</strong> for<br />
Business Associates<br />
Catherine Short<br />
Rachel V. Rose, JD, MBA, presented the webinar “HIPAA <strong>Compliance</strong> for<br />
Business Associates” recently and a recording can be viewed here. Rachel<br />
returned to answer many commonly asked questions from the webinar.<br />
Are business associates subject to HIPAA penalties?<br />
Yes. As stated in both the HITECH Act and the Final Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013),<br />
business associates, which include subcontractors, can be held directly liable for HIPAA violations. For<br />
example, in 2016, a business associate’s failure to safeguard the protected health information of nursing<br />
home residents led to a $650,000 monetary penalty being assessed by HHS OCR. (https://www.hhs.gov/<br />
hipaa/for-professionals/compliance-enforcement/agreements/catholic-health-care-services/index.html)<br />
If you were to give business associates and subcontractors one item that they need to do annually,<br />
what would it be?<br />
Annual Risk Analysis because all technical, administrative and physical safeguards would be identified and<br />
corrected.<br />
Is an indemnification provision required in BAAs?<br />
No. In my practice, I see them included quite a bit; however, this particular provision is not a requirement<br />
under 45 CFR §164.504(e)(1) or that HHS indicated was preferred. See https://www.hhs.gov/hipaa/forprofessionals/covered-entities/sample-business-associate-agreement-provisions/index.html.<br />
8<br />
<strong>First</strong> <strong>Healthcare</strong> <strong>Compliance</strong>, LLC © <strong>2020</strong>