$750,000 Settlement Highlights the Need for HIPAA Business Associate Agreements
Posted on Health Care Law News May 22, 2016 by Robert Nicholson
The HHS Office of Civil Rights (OCR) recently announced that Raleigh Orthopaedic Clinic, P.A. of North Carolina has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement. HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.
OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services Office for Civil Rights. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.
The Florida health law firm of Nicholson & Eastin, LLP provides advice and representation to covered entities and business associates with HIPAA compliance, breach and enforcement matters. If you have a HIPAA security matter, please contact us for a consultation.