Continuing to focus on the importance of having HIPAA business associate agreements between providers and contractors in force, the HHS Office for Civil Rights has again imposed heavy sanctions on a healthcare organization.
This time, however, there is no assertion that the breach put patients at serious risk, but that the organization essentially ignored HIPAA. Four-site Raleigh Orthopaedic Clinic of North Carolina has agreed to pay a $750,000 HIPAA settlement penalty and comply with a corrective action plan. More than 30 other organizations have previously agreed to such sanctions after OCR determined they ignored HIPAA.
Raleigh Orthopaedic in April 2013 notified OCR of a breach after the company engaged a business associate who agreed to transfer X-ray films and related protected health information on 17,300 individuals to electronic media in exchange for harvesting the silver from the films, according to OCR. However, during its investigation, OCR determined that Raleigh Orthopaedic did not enter into a HIPAA-mandated business associate agreement with the contractor.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said OCR Director Jocelyn Samuels in a statement. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
Also See: HIPAA obligations lead to $1.55 million fine of hospital system
Under the resolution agreement and corrective action plan, Raleigh Orthopaedic has agreed to establish a process to assess whether entities are business associates, designate an individual responsible for ensuring a BAA is in place before disclosing PHI, create a standard template BAA, maintain documentation of BAAs for at least six years beyond the date of termination of a BAA contract, and limit disclosure of PHI to the minimum necessary for the BAA to accomplish the task it was hired to do.
Roy Wyman, a partner in the law firm of Nelson Mullins, Riley & Scarborough, says the settlement is notable because “OCR did not show or argue that there was a loss of privacy to particular individuals, but merely stated that the practice failed to execute an agreement under HIPAA. This further supports the view that failure to comply with what some may consider a ‘technical’ requirement of HIPAA can still lead to significant penalties.”
Wyman also warns against a mistaken belief “that X-rays and other tangible items are either not personal health information or that their disclosure will not be considered highly problematic, as not being ‘health information.’” The recipient of an X-ray would know the patient’s name, which is PHI; even if the film came without a name but showed a unique condition, such as the placement of an identifiable object in a patient, that could be considered PHI, he adds.
Raleigh Orthopaedic did not respond to a request for comment. The resolution agreement is available here and an OCR sample business associate agreement is here.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access