Chris Apgar, president of Apgar & Associates, LLC, in Portland, Oregon, shares what to do after ending a contract with a business associate.
A version of this article was first published January 7, 2021, by HCPro's Revenue Cycle Advisor, a sibling publication to HealthLeaders.
Q: If we end a contract with a business associate (BA), does the BA need to provide us with assurance that all protected health information (PHI) has been destroyed? Is this something that should be written into the initial contract? What are the steps to take if the BA does not respond to requests to confirm deletion of PHI?
As far as what steps can be taken if the BA does not respond to requests to confirm deletion of PHI, there are a couple of options. If you have attempted to get the BA to respond several times with no luck, you can bring in counsel to demand a response and/or file a lawsuit against the BA, or you can file a complaint with the Office for Civil Rights (OCR). The OCR complaint would be around the BA not demonstrating adherence to the terms of your BAA and pointing out that the BA retaining PHI is a violation of the minimum necessary requirement.
Editor’s note: Chris Apgar is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.
Revenue Cycle Advisor combines all of HCPro's Medicare regulatory and reimbursement resources into one handy and easy-to-access portal. News is not just repeated from other sources. It is analyzed by our Medicare experts so professionals can comprehend any new rule and regulatory updates thoroughly. Learn more.