Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.
By James Swann
April 21 — A North Carolina orthopedic clinic reached a $750,000 settlement with the government over allegations that it potentially violated the HIPAA Privacy Rule by giving patient data to a business partner without first signing a business associate agreement (BAA).
The Health and Human Services Office for Civil Rights said that Raleigh Orthopaedic Clinic PA disclosed protected health information (PHI) in the form of X-ray film for roughly 17,300 patients. The X-rays were sent to a third-party vendor that didn't have a BAA with the clinic, a violation of the HIPAA Privacy Rule.
The settlement was announced April 19 and was the culmination of an OCR investigation that began after the clinic filed a breach report in April 2013.
“HIPAA’s obligation on covered entities to obtain business associate agreements is more than a mere check-the-box paperwork exercise,” Jocelyn Samuels, OCR director, said in an April 19 statement.
Kirk Nahra, an attorney with Wiley Rein in Washington, told Bloomberg BNA this is the second recent settlement involving the failure to have a BAA in place, following North Memorial Health's March settlement (53 HCDR, 3/18/16).
Nahra said the North Memorial settlement seemed to be driven by overall security failure, as well as the lack of the BAA, while the current settlement seems to be just about the missing BAA.
Nahra said he thinks most organizations have BAAs in place, but said the settlement is a good reminder to make sure of that.
“The other significant reminder, which may be more of an actual issue, is for business associates to remember that they need downstream business associate agreements with their downstream subcontractors,” Nahra said.
Under the Health Insurance Portability and Accountability Act, covered entities are prevented from disclosing PHI to unauthorized individuals. The lack of a BAA can potentially put the PHI at risk.
The Raleigh Orthopaedic Clinic didn't respond to a request for comment.
Eric Fader, an attorney with Day Pitney LLP in New York, told Bloomberg BNA that while the government has been stressing the importance of BAAs since the Health Information Technology for Economic and Clinical Health (HITECH) Act was released in 2009, some covered entities still haven't executed BAAs with all of their business associates.
Fader said other covered entities may have BAAs in place that should have been updated to comply with changes that were mandated by the 2013 HIPAA omnibus rule.
Additionally, simply maintaining PHI, without accessing it, is enough to make an organization a business associate, Fader said. This would apply to companies that provide data storage and backup services to health-care providers, Fader said.
“So any provider that assumes that it's currently in compliance with HIPAA's BAA requirements just because it did comply as of, say, 2008, is likely mistaken,” Fader said.
Fader said the second round of HIPAA audits, which were announced March 21, will audit business associates as well as covered entities, and he said a main focus of the audits will be confirming that all necessary BAAs are in place (55 HCDR, 3/22/16).
“In my view, a failure to have all required BAAs in place could very well be considered an inherently serious violation, given the core importance of BAAs in HIPAA,” Fader said.
In addition to the $750,000 payment, the Raleigh Orthopaedic Clinic agreed to enter into a two-year corrective action plan (CAP) with the OCR. Within 120 days of the start of the CAP, the clinic will have to provide the OCR with a list of all of its business partners as well as copies of all BAAs.
The clinic will also be required to revise its policies regarding business associates to ensure that BAAs become part of all future applicable business relationships, and will have to keep all documents related to the CAP for six years.
The settlement wasn't an admission of liability by the clinic, nor was it a concession by the OCR that the clinic wasn't in violation of the HIPAA rules.
To contact the reporter on this story: James Swann in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Janey Cohen at email@example.com
The OCR resolution agreement is at http://src.bna.com/eik.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)