Raleigh Orthopaedic Clinic of North Carolina has agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules by failing to execute a business associate agreement prior to turning over protected health information (PHI) of 17,300 patients to a potential business partner. The settlement includes a robust corrective action plan.
HIPAA-covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure, according to the Department of Health and Human Services (HHS) Office of Civil Rights (OCR). OCR initiated its investigation following receipt of a breach report from Raleigh Orthopaedic.
OCR’s investigation indicated that Raleigh Orthopaedic released the X-ray films and related PHI of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the X-ray films. Raleigh Orthopaedic failed to execute a business associate agreement with this entity prior to turning over the X-rays and PHI, OCR says. “Note that the issues were centered around the lack of the business associate agreement and the breach occurrence and not whether PHI was misused,” says an OCR spokesperson who, under department policy, asked not to be named.
Raleigh Orthopaedic is required to revise its policies and procedures to do the following:
- establish a process for assessing whether entities are business associates;
- designate a responsible individual to ensure business associate agreements are in place before disclosing PHI to a business associate;
- create a standard template business associate agreement that complies with the requirements in the HIPAA privacy rule;
- establish a standard process for maintaining documentation of a business associate agreement for at least six years beyond the date of termination of a business associate relationship;
- limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired. (To read the Resolution Agreement, go to http://1.usa.gov/23L9a1v.)
OCR is conducting a second round of audits to assess compliance with HIPAA. Unlike the first round, OCR is including business associates. OCR is emailing notices to entities that might be audited. A questionnaire will help determine audit targets. Auditors will be looking for non-compliance issues that were most common in the first round.
One of the best ways to prepare for a potential round two audit is to study OCR’s audit protocols. The protocols are available online at http://1.usa.gov/24hFxqF. Model business associate agreement language from HHS can be accessed at http://1.usa.gov/1PfLUk8. The language may be adapted for a contract between a business associate and subcontractor.
Jessica Forbes Olson, JD, an attorney with the law firm of Fox Rothschild in Minneapolis, MN, says, “Covered entities and business associates often make the mistake of believing that HIPAA compliance is a one-time project, rather than an all-the-time practice. The upcoming OCR audits should be the impetus many entities need to do a self-audit and ensure their HIPAA ‘ducks’ are in order. Recent OCR enforcement activity has shown that the cost of compliance is a drop in the bucket compared to the cost of non-compliance we’ve seen come in the form of OCR settlements of hundreds of thousands or millions of dollars.”