Over the last week I’ve heard two different people, in two different settings, say that they thought a Business Associate Contract isn’t really necessary any more, since Business Associates are now directly regulated.
While I understand the intuitive appeal of this conclusion – the idea that two regulated entities need to have a contract between them which is in many ways redundant to their regulatory obligations seems to come from the Department of Redundancy Department – it isn’t just wrong, it’s dangerous. And in fact the very expansion of jurisdiction which allows for this requirement creates potentially massive legal exposures for any two parties who should have a Business Associate Contract and don’t.
To start with, keep in mind that Business Associate status is “definitional,” meaning it attaches when you do something that fits the definition of Business Associate. The lack of a Business Associate Contract doesn’t keep an entity from being a Business Associate, it just puts both parties in violation of the HITECH/HIPAA regulatory requirements.
OCR has made it very, very clear that Business Associate Contracts are definitely required, not only between Covered Entities and their Business Associates, but between lower-tier Business Associates. This is not exactly a hidden provision or matter of ambigous interpretation, either; it’s very clear in the regulations and the preamble discussion.
I think that a failure to have a Business Associate when required could therefore be interpreted as a “willful neglect” violation for penalty purposes, defined to include “reckless indifference to the obligation to comply with the administrative simplification provision violated.” So, each violation could be penalized at $10,000 to $50,000 per violation, to a calendar year per-type-of-violation maximum of $1.5 million.
I don’t know, but suspect OCR could, and if sufficiently motivated would, interpret the failure to have a Business Associate Contract as a violation of each separate specification required in a Business Associate Contract. My recollection is that there are something like 12 different required provisions in a Business Associate Contract – don’t hold me to a specific number, but it’s about that. So figure you’ve got 12 violations just for not having a Business Associate Contract in the first place. Each of which could be penalized at $10,000 to $50,000 per violation.
Each violation would also be considered a continuing violation, with separate violations counted for each day it went on. If this went on for a year, that’s (365) x (12) = 4,380. Each of the 12 separate violations would then support a calendar year total of $43,800,00 at the $10,000 per violation low-end rate, fortunately capped in each case at $1.5 million per year. So you’re really only looking at $18 million. But it doesn’t stop there. Any use or disclosure of PHI which should have been subject to a Business Associate Contract would also be a separate violation, probably also with willful neglect by extension from the foundational failure to have a Business Associate Contract. And there may well be other events which constitute violations in the absence of a foundational Business Associate Contract.
I would also expect OCR to interpret both the failure to have a Business Associate Contract and the transactions or event which required a predicate Business Associate Contract as violations by both Covered Entity and Business Associate, or upstream Business Associate and downstream Business Associate. Depending on just what activities or services the Business Associate was providing, then, you could pretty easily rack up many, many millions in potential penalties for both entities. And OCR has settled cases for millions in agreed settlement amounts, so they’re clearly willing to use their authority.
So my recommendation to Business Associates who are concerned their Covered Entity clients or upstream Business Associates might be clueless – and I do have Business Associate clients serving smaller healthcare organizations where we have to anticipate that they will be – is to take the burden of Business Associate Contract compliance on yourself. And really, I recommend having your own form and leading the negotiation anyway if you can, if only to get yourself a better position.
By jon stanley February 14, 2013 - 10:36 am
John, my two cents. The fact that OCR will most likely punish an BA for not having a BAA is, in my opinion, correct. The status quo is like the weight of gravity…unseen but there, and ponderous. But it no longer logical…accept to covered entity who gets to throw a whole lot more junk not mandated by HIPAA, and then use it bargaining position to get the vendor (most vendors) to go along. The regs will finally catch up, sooner or later, with the logic implicit in their own regulations now. All a BA should show is that they are HIPAA compliant. Every year…or, every two years, or what have you. But old habits die hard.