Raleigh Orthopaedic gave X-rays for 17,300 patients to a recycler without first executing a HIPAA BAA — Business Associate Agreement.
Raleigh Orthopaedic Clinic, PA. of North Carolina, a 22 physician practice, has agreed to pay $750,00 to settle charges that it potentially violated the HIPAA Privacy Rule by giving protected health information (PHI) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement (BAA).
The federal Health and Human Services Office of Civil Rights (OCR) initiated its investigation of Raleigh Orthopaedic after receiving a breach report on April 30, 2013. OCR’s investigation indicated that Raleigh Orthopaedic released the x-ray films and related PHI of 17,300 patients to an entity that promised to scan the images in exchange for harvesting the silver from the x-ray films. Raleigh Orthopaedic failed to execute a BAA with the entity prior to turning over the x-rays (and PHI).
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” said Jocelyn Samuels, Director of the OCR. “It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected.”
In addition to the $750,000 payment, Raleigh Orthopaedic is required to revise its policies and procedures to:
- Establish a process for assessing whether entities are business associates
- Designate a responsible individual to ensure BAAs are in place prior to disclosing PHI to a business associate
- Create a standard template BAA
- Establish a standard process for maintaining documentation of a BAA for at least six years beyond the date of termination of a business associate relationship
- Limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired
The Resolution Agreement and Corrective Action Plan can be found on the HHS website.
Eagle Consulting offers comprehensive HIPAA Policies and Procedures, including a model HIPAA Business Associate Agreement, in its HIPAA Policy Store. These policies meet all of the requirements listed above.
