Raleigh Orthopaedic Clinic Settles for 750K for Lack of BAA
The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced a settlement has been reached with Raleigh Orthopaedic Clinic, P.A., of North Carolina over alleged violations of HIPAA Rules. Raleigh Orthopaedic has agreed to pay OCR $750,000 for failing to enter into a business associate agreement (BAA) with a vendor before handing over the protected health information (PHI) of 17,300 patients in 2013.
OCR launched an investigation into a data breach reported by Raleigh Orthopaedic on April 30, 2013. Raleigh Orthopaedic had agreed to provide a potential business associate (BA) with X-Ray films in order to have images transferred to a digital format. The company was allowed to recycle the original films to recover the silver after the images had been transferred to an electronic format. However, the agreement was reached over the telephone and no BAA was obtained.
Prior to providing the company with the X-Rays Raleigh Orthopaedic should have issued a BAA and obtained a signed copy. The BAA should have detailed the responsibilities the company had to ensure X-Ray data were properly safeguarded at all times. Raleigh Orthopaedic had not received satisfactory assurances that PHI would be treated as confidential and protected in accordance with HIPAA Rules. The failure to obtain a compliant BAA was a violation of the HIPAA Privacy Rule (45 C.F.R. § 164.502(e)).
In addition to the $750,000 settlement Raleigh Orthopaedic has agreed to adopt a corrective action plan (CAP). The CAP requires Raleigh Orthopaedic to send a list of names and addresses of all business associates to OCR along with copies of current business associate agreements.
Policies and procedures must be revised to ensure that at least one individual is made responsible for ensuring that BAAs are obtained from all BAs. A process must also be developed to ensure all future potential BAs are issued with a BAA prior to the disclosure of any PHI.
After policies have been assessed by OCR, Raleigh Orthopaedic must ensure that all BAAs are reviewed to ensure compliance with HIPAA Rules.
Raleigh Orthopaedic must also produce further training material covering the changes to policies and procedures and provide additional training to all employees required to come into contact with PHI.
OCR Director Jocelyn Samuels announced the breach and point out “HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise.” She went on to say, “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
The settlement agreement can be viewed here.
Second 2016 Settlement for Lack of a Compliant Business Associate Agreement
This is the second OCR settlement in just over a month that stemmed from the failure by a HIPAA-covered entity to obtain a signed HIPAA-compliant BAA before disclosing the PHI of patients to a third party vendor. Last month, OCR settled a case brought against North Memorial Health Care of Minnesota after a data breach investigation revealed NMHC had not entered into a HIPAA-compliant BAA with a major vendor. NMHC agreed to pay OCR $1.55 million to settle the alleged HIPAA violations, which included the failure to conduct an organization-wide risk analysis.
The second round of OCR compliance audits will take place this year and OCR appointed auditors will be checking to make sure that compliant BAAs exist for all vendors. The compliance audits are not intended to be a witch hunt, but OCR has already announced that if serious HIPAA-violations are discovered during the desk audits, covered entities are likely to be investigated further and subjected to a full compliance review. Due to the seriousness of disclosing PHI without first obtaining a compliant BAA, if compliant copies cannot be produced, fines will surely follow.