The Blog   

The OCR just announced a settlement with Raleigh Orthopaedic Clinic, P.A. of North Carolina for $750,000 to settle charges that the clinic violated HIPAA laws by handing over protected health information (PHI) for approxiately 17,300 patients to a potential business partner without first executing a business associate agreement. HIPAA covered entities cannot disclose PHI to unauthorized persons, and the lack of a business associate agreement left this sensitive health information without safeguards and vulnerable to misuse or improper disclosure.

The OCR initiated its investigation of Raleigh Orthopaedic following receipt of a breach report on April 30, 2013. Their investigation indicated that Raleigh Orthopaedic released the x-ray films and related protected health information of 17,300 patients to an entity that promised to transfer the images to electronic media in exchange for harvesting the silver from the x-ray films. Raleigh Orthopedic failed to execute a business associate agreement with this entity prior to turning over the x-rays (and PHI).

“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”

In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to: establish a process for assessing whether entities are business associates; designate a responsible individual to ensure business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.

The HHS offers model business associate agreement language at: Model BAA Language

Copyrights © 2016 & All Rights Reserved by Evolve Technologies, Inc.