4 Ways To Ensure HIPAA Compliant Business Associate Agreements

4 Ways To Ensure HIPAA Compliant Business Associate Agreements

In the wake of an historic, multi-state lawsuit filed against a “Business Associate” earlier this month, it is imperative that companies with business associate agreements (BAA) in place with health care/plan customers review internal data security policies and procedures to ensure they are in compliance with their obligations arising under HIPAA, state privacy laws and the BAAs.

Historic Lawsuit
On December 3, 2018, Attorneys General from 12 states filed a lawsuit against Indiana-based health records company, Medical Informatics Engineering, Inc. (MIE), for a data breach in 2015 that compromised the health care data of approximately 3.9 million people. This is the first time that state attorneys general have united to pursue a HIPAA-related data breach case in federal court, signaling a potential new approach by law enforcement to hold Business Associates accountable for such health data breaches.

The lawsuit alleges that during 2 weeks in May 2015, hackers stole electronic Protected Health Information (ePHI) of individuals (such as dates of birth, Social Security numbers, usernames and passwords) which was being maintained in electronic medical records stored on MIE’s computer systems. MIE is accused of violating multiple laws, including state consumer protection, data breach, and personal information laws, as well as federal HIPAA statutes by: (a) failing to take adequate and reasonable measures to ensure their computer systems were protected, (b) failing to take reasonably available steps to prevent the breaches, (c) failing to disclose material facts regarding the inadequacy of their computer systems and security procedures to properly safeguard patients’ personal health information, (d) failure to honor their representations that patients’ PHI would be protected, and (e) failure to provide timely and adequate notice of the incident.

How to Protect Your Company
The responsibility of protecting the privacy and security of your customer’s health care data is significant; and as this lawsuit reveals, failure to do so can have disastrous consequences for your company. To meaningfully reduce the risk of a breach of your customers’ health care data, you should, at a minimum, take the following steps to ensure compliance with your Business Associate obligations:

  1. Conduct regular and thorough audit/assessments of potential risks and vulnerabilities in your security system.
  1. Implement security measures sufficient to reduce risks and vulnerabilities identified in such audit/risk assessment, including, but not limited to:
    i) implementation of current encryption technology to protect ePHI in both transit and at rest;
    ii) implementation of appropriate safeguards to protect ePHI on portable devices; and
    iii) implementation and on-going assessment of current access controls (e.g. password controls, 2-step authentication and regular access audits).
  1. Review breach notification requirements in your existing BAAs (e.g., the process for identifying a breach or security incident, timeliness of reporting to customer, information required for investigating a breach, etc.) and tighten your procedures for discovery, investigation and notification of a HIPAA or state law data privacy breach.
  1. Implement annual HIPAA training for employees who have access to customers’ ePHI as part of their job function, and to all new employees during orientation.

Our health care team is happy to answer any specific questions you may have about your company’s compliance obligations as a Business Associate. Please feel free to contact Marni Levitt at [email protected] or contact us via our website.


Marni Levitt is a Member of Outside GC’s Boston-based team. She brings over twenty years of experience practicing health care and hospital law, with a focus on healthcare regulatory compliance, HIPAA and privacy-related matters, and general contracts review, including Business Associate Agreements. Marni can be reached at [email protected] or 508-561-4306.

This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.

Subscribe to Our Blog