As per the article below by Owen Kurtin on jdsupra.com.. “A recent Department of Health and Human Services Office of Civil Rights (HHS OCR) $3.5 million settlement confirms that it is a facial violation of HIPAA for a Covered Entity to transmit, and for a Business Associate to receive, patient Protected Health Information without a written, compliant Business Associate Agreement in place. In other words, if there is no written, compliant Business Associate Agreement in place, the Covered Entity had no right to transmit, and the Business Associate had no right to receive, the PHI in the first place.”
This sends a strong message from HHS-OCR about CE to BA relationships and the need for BAA’s. This same message as been a consistent message from InfoTech Innovators LLC.
Below is a link to the full article on jdsupra.com