Lack of BA Agreement Costs Clinic $750,000Second HIPAA Enforcement Action This Year Involving a Vendor Agreement
A North Carolina orthopedic clinic will pay a $750,000 penalty as part of a breach-related settlement involving the release of 17,300 X-ray films containing protected health information to a vendor without having a business associate agreement in place, as required under HIPAA.
The Department of Health and Human Services' Office for Civil Rights says in a April 19 statement that the settlement with Raleigh Orthopaedic Clinic, which operates clinics and an orthopedic surgery center in Raleigh, N.C., spotlights the importance of executing a BA agreement before turning over PHI to third-party vendors.
"HIPAA's obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise," Jocelyn Samuels, director of OCR, said in the statement. "It is critical for entities to know to whom they are handing PHI and to obtain assurances that the information will be protected."
The Raleigh Orthopaedic case highlights a far-too-common problem, says privacy and security expert Kate Borten, founder of The Marblehead Group consultancy.
"The impetus for this investigation and resolution agreement was the privacy breach caused by the complete lack of a business associate relationship and PHI protection," she says. "This continues to be a not uncommon problem in healthcare a decade after the [HIPAA] rules" went into effect.
In fact, OCR's resolution agreement with Raleigh Orthopaedic is the second enforcement action OCR has taken so far this year highlighting the importance of having a business associate agreement.
In March, OCR announced a $1.55 million settlement with North Memorial Healthcare in a case involving the lack of a BA agreement with a vendor as well as the lack of a timely, enterprisewide risk analysis, another HIPAA requirement.
"Covered entities and business associates must have a thorough process around their downstream BAs," Borten says. "At all times, the entity must be sure it has identified all its BAs and that they have signed a compliant business associate agreement prior to PHI release."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says it's essential for organizations to carefully assess their vendor relationships. "It is important for organizations that have obligations under the HIPAA rules to review all their existing vendor relationships to identify those that involve the creation, maintaining or transmission of PHI and make sure there is a business associate agreement in place," he says.
This latest settlement is the result of an OCR investigation involving a breach reported by Raleigh Orthopaedic in April 2013.
In a 2013 statement, the healthcare entity said it had "contracted with a third-party vendor to transfer old X-ray films into electronic format." Raleigh Orthopaedic said it provided the vendor with the X-ray films, "but the vendor never provided Raleigh Ortho with an electronic version of the films."
The clinic said it conducted an investigation and, "during the first week of March 2013, discovered that it had been the victim of a scam. It appears that the X-ray films were sold to a recycling company in Ohio that harvested the silver from the films. Raleigh Ortho believes the films were ultimately destroyed."
The healthcare provider said at the time that patients' full names and dates of birth accompanied the films, but that it did not believe any other individually identifiable information was on the X-ray films.
In the resolution agreement, however, OCR notes that "HHS received notification from [Raleigh Orthopaedic Clinic] regarding a breach of its PHI resulting from an impermissible disclosure of PHI contained in X-ray films to a third-party vendor after orally arranging for the vendor to harvest the silver from the films in exchange for transferring the X-rays into electronic media."
Raleigh Orthopaedic did not immediately respond to Information Security Media Group's request for comment.
Corrective Action Plan
In addition to the financial settlement, the resolution agreement between OCR and Raleigh Orthopaedic includes a corrective action plan requiring the clinic to revise its policies and procedures related to business associates. That includes:
- Establishing a process for assessing whether entities are business associates;
- Designating an individual responsible for ensuring BA agreements are in place prior to disclosing PHI to a business associate;
- Creating a standard template BA agreement;
- Establishing a standard process for maintaining documentation of BA agreements for at least six years beyond the date of termination of a BA relationship;
- Limiting disclosures of PHI to BAs to the minimum necessary to accomplish the purpose for which the BA was hired; and
- Providing training to its workforce for any changes in policies and procedures related to BAs.
Borten notes that every HIPAA-covered organization should ensure it has "a complete and detailed spreadsheet of its BAs, and that someone has been designated to maintain it, including periodic review by management."
Holtzman of CynergisTek adds that it's critical for every healthcare organization to have "a managed process in place to examine any contract or vendor agreement to identify if PHI is being disclosed, created or maintained in performing that function or service."
Other Recent Settlements
The settlement between OCR and Raleigh Orthopaedic is the fifth enforcement action issued by OCR so far in 2016. In addition to the North Memorial Healthcare case, those include:
- A $3.9 million settlement and resolution agreement in March with Feinstein Institute for Medical Research related to insufficient security management processes, policies and procedures noted by OCR after investigating a breach tied to the theft of an unencrypted laptop containing data on several thousand patients and participants in a research project;
- A $25,000 settlement and resolution agreement in February with Complete P.T., Pool & Land Physical Therapy Inc., resulting from an investigation of a complaint alleging that the organization was impermissibly disclosing PHI on its website for marketing purposes;
- A summary judgment in February requiring Lincare Inc., a provider of respiratory care, medical equipment and other services to in-home patients, to pay a $239,800 civil monetary penalty in a case stemming from a complaint that a Lincare employee left behind documents containing the PHI of 278 patients after moving to a new residence.