OCR focuses on HIPAA business associate agreements with $750,000 settlement

On April 20, 2016, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced that provider group Raleigh Orthopaedic Clinic, P.A. of North Carolina (“Raleigh Orthopaedic”) agreed to pay $750,000 to settle charges that it potentially violated the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy Rule “by handing over protected health information (“PHI”) for approximately 17,300 patients to a potential business partner without first executing a business associate agreement.”

OCR initiated its investigation of Raleigh Orthopaedic following receipt of a “breach report” on April 30, 2013.  OCR’s investigation indicated that Raleigh Orthopaedic released x-ray films and related protected health information of 17,300 patients to an entity contracted to transfer the x-ray images to electronic media in exchange for harvesting the silver from the films.  Raleigh Orthopedic did not execute a business associate agreement with this entity prior to turning over the x-rays and PHI.

In addition to the $750,000 payment, Raleigh Orthopaedic ultimately agreed to revise its policies and procedures to: “establish a process for assessing whether entities are business associates; designate a responsible individual to ensure  business associate agreements are in place prior to disclosing PHI to a business associate; create a standard template business associate agreement; establish a standard process for maintaining documentation of a business associate agreements for at least six (6) years beyond the date of termination of a business associate relationship; and limit disclosures of PHI to any business associate to the minimum necessary to accomplish the purpose for which the business associate was hired.”

Raleigh Orthopaedic would have avoided a fine of $750,000, devoting time to a three-year investigation, and the stigma of a Corrective Action Plan if only someone on staff ensured that released PHI was subject to a properly worded business associate agreement. Given that HHS even offers model business associate agreement language there is really no excuse for any covered entity or business associate not to use this simply contractual safeguard — especially given that it is mandated.  Moreover, there really is no excuse for not having a standard process in place that documents the use and maintenance of business associate agreements — even the smallest of practice groups has an office manager who could implement this process.