October 10, 2016

The Importance of Business Associate Agreements

By Yasmeen Elhaj, Senior, Advisory Services

The Importance of Business Associate Agreements

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has recently completed a Health Insurance Portability and Accountability Act of 1996 (HIPAA) investigation that resulted in a settlement of $400,000 and a comprehensive action plan. This settlement was for violations committed by Care New England Health System (CNE), a business associate of numerous covered entities. The investigation was prompted by a breach regarding protected health information (PHI). OCR found that the business associate agreement (BAA) was not updated with the HIPAA Omnibus Final Rule revisions. Therefore, the covered entity disclosed PHI to CNE without an appropriate business associate agreement in place.

This investigation and settlement shows the importance of business associate agreements and updating them if necessary. The OCR has a sample business associate agreement that can be utilized as a starting point/reference and can be found here:


All BAAs should have been updated no later than September 23, 2014 (for previously existing agreements) or September 23, 2013, for new agreements.

Related Industry