HIPAA Violation Fines: $750,000 settlement highlights the need for HIPAA business associate agreements

Raleigh Orthopedic violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule by handing over Protected Health Information (PHI) for approximately 17,300 patients to a potential business partner without having a business associate agreement. Not having a Business Associate Agreement (BA) in place leaves PHI without the proper safeguards that protect it from misuse and improper disclosure. The Office of Civil Rights started its investigation after they received a breach report in April. The investigation found that Raleigh Orthopedic disclosed x-ray films and other protected health information of 17,300 patients to an entity that agreed to transfer the x-ray images to electronic media. In exchange the entity would receive the silver from the x-ray films. Raleigh Orthopedic did not execute a business associate agreement with this entity before sending the x-rays along with other PHI.

Jocelyn-Samuels“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

Along with the $750,000 fine, Raleigh Orthopedic is also required to:

  • Revise and change its polices and procedures in order to establish a process that will assess whether an entity is a business associate or not
  • Raleigh Orthopedic also will need to designate a responsible employee to ensure that the business associate agreements have been put in place before disclosing any PHI
  • Create a standard template business associate agreement
  • Establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship
  • Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired

This is the fifth HIPAA violation fine in 2016 by HHS (Read the previous resolution agreements here)

What is the specific HIPAA violation?

Raleigh Orthopedic has violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules.The Office of Civil Rights started its investigation after they received a breach report in April. The investigation found that Raleigh Orthopedic disclosed x-ray films and other protected health information of 17,300 patients to an entity that agreed to transfer the x-ray images to electronic media. In exchange the entity would receive the silver from the x-ray films. Raleigh Orthopedic did not execute a business associate agreement with this entity before sending the x-rays along with other PHI.

HIPAA Violations and Corrective Action Plan (CAP)

The settlement includes a monetary payment of $750,000 in addition to a robust corrective action plan. The corrective action plan put in place requires that Raleigh Orthopedic revise their polices and procedures to establish a process for assuring whether entities are business associates. Raleigh Orthopedic is also required to designate a responsible individual who will ensure that business associate agreements are in place prior to disclosing any PHI to a business associate.

What could have been done differently?

Before sharing PHI with a vendor covered entities need to ensure they enter into a valid business associate contract as stated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. Some of the key components of business associate agreements should cover:

  • Obligations and Activities of Business Associate
  • Permitted Uses and Disclosures by Business Associate
  • Provision for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions
  • Permissible Request by Covered Entity
  • Term and Termination

 

To learn more on how EHR 2.0 can help you with setting up polices and procedures that will ensure you have business associate agreements in place and create an action plan, visit us at https://ehr20.com/services/.

Call us today at 866-276-8309 or email us at info@ehr20.com.

 

Share this in :
  •  
  •  
  •  
  •  
The following two tabs change content below.
Our mission is to assist healthcare organizations and business associates in the development, design, and implementation of practices to secure IT systems and comply with HIPAA/HITECH privacy, security, breach and enforcement rules by protecting patient health information.