Legal Brief: HIPAA – The Need For Business Associate Agreements

hipaa violations

With this recurring column, Elite Healthcare provides readers with insight related to the legal implications of healthcare – offering practical guidance on scenarios that should be avoidable and providing suggested courses of action when appropriate. The examples provided here are those that all providers should be aware of, but many aren’t or are negligent despite their awareness. Don’t let your practice be compromised.

HIPAA: The Need For Business Associate Agreements

It’s going on 30 years that the Health Insurance Portability and Accountability Act was signed into law. Yet, there continue to be a concerning amount of HIPAA violations that occur in the healthcare community — and this doesn’t even take into account those violations that are never uncovered! Since the compliance date of the Privacy Rule in April 2003, the U.S. Department of Health and Human Services’ Office for Civil Rights has reportedly received more than 220,000 HIPAA complaints. Nearly 28,000 cases have resulted in changes to privacy practices, according to officials.1

Any healthcare provider is likely collaborating with third-party vendors for a variety of patient care services that require the disclosing of patients’ names and other protected health information (PHI; any payment or medical record that makes a person identifiable) for various reasons. In all instances, the healthcare provider must obtain a signed Business Associate Agreement with each of these parties that are handling PHI to keep information private within the confines of their purpose for disclosure. For example, technicians at the laboratory cannot share with any other entity (or anyone internally) that a particular patient is being tested for any particular test. Nor can they share any other PHI.

While we are on the subject of HIPAA, another all-too-common oversight among clinicians is that patients’ paper charts are kept unlocked in offices and other locations. Similarly, electronic health records (EHRs) are often left open on a monitor or other screen and visible for anyone within eyesight to see. All EHR screens should be locked after each health care provider’s use and prior to a provider leaving a room. Computer access should be individually password protected and only accessed on a need-to-know basis. If these warnings don’t seem serious enough, providers can browse some of the more recent insight on violations and penalties.1


  1. HIPAA News Releases & Bulletins. HHS. 2019. Accessed online:


About The Author